Feeds

Google bod exposes Sophos Antivirus' gaping holes

Ormandy - Are you pleased with yourself? Probably yes

Providing a secure and efficient Helpdesk

A security researcher has discovered embarrassing and critical vulnerabilities in Sophos' enterprise protection software.

Tavis Ormandy, an information security engineer at Google, published a paper along with example attack code to highlight flaws present in Windows, Linux and Mac OS X builds of Sophos' antivirus product.

The holes can be reliably and easily exploited by hackers to compromise the computers the software is supposed to defend. Specifically, the antivirus scanner fails to safely examine encrypted PDFs and VisualBasic files, which could arrive in an email or website download; these documents can be crafted to trigger flaws within the software and gain control of the system.

In response, Sophos confirmed today that most of the eight vulnerabilities documented by Ormandy were patched a month after the security researcher reported the bugs in September. The company is adamant the flaws have not been exploited in the wild.

Nonetheless Ormandy - who said his work has nothing to do with his employer - argued in a post to the Full Disclosure mailing list on Monday that the risk is high.

"My paper includes a working pre-authentication remote root exploit that requires zero-interaction, and could be wormed within the next few days," he writes. "I would suggest administrators deploying Sophos products study my results urgently, and implement the recommendations."

Ormandy's dossier [PDF] also includes advice on best practices for Sophos users and is "intended to help administrators of high-value networks minimise the potential damage to their assets caused by Sophos". Even the name of the paper "sophailv2" alludes to failure.

His suggestion that IT bosses "exclude Sophos products from consideration for high-value networks and assets" is unlikely to find much favour at Sophos HQ.

Ormandy is also critical of the overall quality of programming and quality assurance testing by Sophos as well as the company's insistence that the exploitation of the holes is unlikely.

"A working exploit for Sophos 8.0.6 on Mac is available, however the techniques used in the exploit easily transfer to Windows and Linux due to multiple critical implementation flaws described in the paper. Test cases for the other flaws described in the paper are available on request," he wrote.

Ormandy reported the vulnerabilities to Sophos on 10 September. Five of the flaws were mitigated in a new version rolled out to users on 22 October. A further two security bugs were quashed on 5 November. The security firm promises a fix for a further bug, which causes its software to crash, by the end of the month.

As well as the PDF and Visual Basic blunders, vulnerabilities were found in the antivirus engine's handling of malformed CAB and RAR files, which corrupted the computer system's memory if triggered - another headache for sysadmins. The software also needlessly knackered the Windows operating system's ASLR defence mechanism against malicious code, and was vulnerable to cross-site scripting attacks. These flaws have been patched.

A demonstration of the Sophos Anti-Virus Sophail PDF Vulnerability, the worst of the vulnerabilities uncovered by Ormandy, can be found here as a Metasploit payload.

Best of enemies

There's a history between Sophos and Ormandy, which goes some way to explain the somewhat aggressive tone of their latest exchanges.

The Google engineer delivered a presentation on what he argued were shortcomings in Sophos software at Black Hat USA in August 2011. Prior to this writers on the Sophos Naked Security blog repeatedly criticised Ormandy over the allegedly "irresponsible disclosure" of a zero-day vulnerability in Windows Help and Support Center that affected Windows XP machines in June 2010.

Days later Sophos published an article provocatively titled Tavis Ormandy - are you pleased with yourself? Website exploits Microsoft zero-day. The revealed flaw was subsequently used by miscreants to infect more than 10,000 PCs in less than one month, according to Sophos.

El Reg counted five articles and a podcast openly critical of Ormandy on the Naked Security blog, not including the two posts on the vulnerabilities he's discovered in Sophos software, which are a bit passive aggressive but overall neutral in tone, if you discount the anger over the Windows flaw uncovered two years ago.

By comparison the crooks behind Operation Ghost Click, a massive online crime wave uncovered last year, are mentioned only twice, although in fairness the DNS Changer malware the crims peddled has been frequently covered by Sophos.

Love Bug worm author Onel de Guzman gets only three mentions. That's not to say Sophos blog writers hold Ormandy in lower regard than de Guzman, but it does suggest they may have gone a bit over the top with their criticism of Ormandy two years ago - something that may have encouraged subsequent probing of the UK-based software company's products.

Graham Cluley, a senior technology consultant at Sophos, welcomed Ormandy's efforts.

"Sophos products are better than they were three months ago and Tavis's research has helped," Cluley told El Reg. "He told us about vulnerabilities we didn't know about before, which we've successfully been able to patch."

Every security system vendor suffers from vulnerabilities from time to time, and it's far better that the flaws are reported by researchers such as Ormandy and fixed before they are exploited by hackers, Cluley added. ®

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.