Feeds

Google bod exposes Sophos Antivirus' gaping holes

Ormandy - Are you pleased with yourself? Probably yes

Using blade systems to cut costs and sharpen efficiencies

A security researcher has discovered embarrassing and critical vulnerabilities in Sophos' enterprise protection software.

Tavis Ormandy, an information security engineer at Google, published a paper along with example attack code to highlight flaws present in Windows, Linux and Mac OS X builds of Sophos' antivirus product.

The holes can be reliably and easily exploited by hackers to compromise the computers the software is supposed to defend. Specifically, the antivirus scanner fails to safely examine encrypted PDFs and VisualBasic files, which could arrive in an email or website download; these documents can be crafted to trigger flaws within the software and gain control of the system.

In response, Sophos confirmed today that most of the eight vulnerabilities documented by Ormandy were patched a month after the security researcher reported the bugs in September. The company is adamant the flaws have not been exploited in the wild.

Nonetheless Ormandy - who said his work has nothing to do with his employer - argued in a post to the Full Disclosure mailing list on Monday that the risk is high.

"My paper includes a working pre-authentication remote root exploit that requires zero-interaction, and could be wormed within the next few days," he writes. "I would suggest administrators deploying Sophos products study my results urgently, and implement the recommendations."

Ormandy's dossier [PDF] also includes advice on best practices for Sophos users and is "intended to help administrators of high-value networks minimise the potential damage to their assets caused by Sophos". Even the name of the paper "sophailv2" alludes to failure.

His suggestion that IT bosses "exclude Sophos products from consideration for high-value networks and assets" is unlikely to find much favour at Sophos HQ.

Ormandy is also critical of the overall quality of programming and quality assurance testing by Sophos as well as the company's insistence that the exploitation of the holes is unlikely.

"A working exploit for Sophos 8.0.6 on Mac is available, however the techniques used in the exploit easily transfer to Windows and Linux due to multiple critical implementation flaws described in the paper. Test cases for the other flaws described in the paper are available on request," he wrote.

Ormandy reported the vulnerabilities to Sophos on 10 September. Five of the flaws were mitigated in a new version rolled out to users on 22 October. A further two security bugs were quashed on 5 November. The security firm promises a fix for a further bug, which causes its software to crash, by the end of the month.

As well as the PDF and Visual Basic blunders, vulnerabilities were found in the antivirus engine's handling of malformed CAB and RAR files, which corrupted the computer system's memory if triggered - another headache for sysadmins. The software also needlessly knackered the Windows operating system's ASLR defence mechanism against malicious code, and was vulnerable to cross-site scripting attacks. These flaws have been patched.

A demonstration of the Sophos Anti-Virus Sophail PDF Vulnerability, the worst of the vulnerabilities uncovered by Ormandy, can be found here as a Metasploit payload.

Best of enemies

There's a history between Sophos and Ormandy, which goes some way to explain the somewhat aggressive tone of their latest exchanges.

The Google engineer delivered a presentation on what he argued were shortcomings in Sophos software at Black Hat USA in August 2011. Prior to this writers on the Sophos Naked Security blog repeatedly criticised Ormandy over the allegedly "irresponsible disclosure" of a zero-day vulnerability in Windows Help and Support Center that affected Windows XP machines in June 2010.

Days later Sophos published an article provocatively titled Tavis Ormandy - are you pleased with yourself? Website exploits Microsoft zero-day. The revealed flaw was subsequently used by miscreants to infect more than 10,000 PCs in less than one month, according to Sophos.

El Reg counted five articles and a podcast openly critical of Ormandy on the Naked Security blog, not including the two posts on the vulnerabilities he's discovered in Sophos software, which are a bit passive aggressive but overall neutral in tone, if you discount the anger over the Windows flaw uncovered two years ago.

By comparison the crooks behind Operation Ghost Click, a massive online crime wave uncovered last year, are mentioned only twice, although in fairness the DNS Changer malware the crims peddled has been frequently covered by Sophos.

Love Bug worm author Onel de Guzman gets only three mentions. That's not to say Sophos blog writers hold Ormandy in lower regard than de Guzman, but it does suggest they may have gone a bit over the top with their criticism of Ormandy two years ago - something that may have encouraged subsequent probing of the UK-based software company's products.

Graham Cluley, a senior technology consultant at Sophos, welcomed Ormandy's efforts.

"Sophos products are better than they were three months ago and Tavis's research has helped," Cluley told El Reg. "He told us about vulnerabilities we didn't know about before, which we've successfully been able to patch."

Every security system vendor suffers from vulnerabilities from time to time, and it's far better that the flaws are reported by researchers such as Ormandy and fixed before they are exploited by hackers, Cluley added. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.