Sign in with
Sign up | Sign in

Google Engineer: Sophos Antivirus Not Safe for Businesses

By - Source: CSO | B 13 comments

A Google engineer claims that the Sophos Antivirus client shouldn't be used in high value information systems located in government, healthcare and military sectors.

Several flaws were recently discovered in the Sophos Antivirus client that now has Google security engineer Tavis Ormandy requesting that the software be kept away from high value information systems.

Ormandy's findings were released in a 30-page analysis called "Sophail: Applied Attacks Against Sophos Antivirus" (PDF). In the report, he states that the flaws were caused by "poor development practices and coding standards." He also claims that Sophos was rather slow in its response to his warnings that he already had working exploits locked and loaded for those very flaws.

According to Ormandy, one exploit is for a flaw located in Sophos' on-access scanner. This exploit could be used to unleash a worm on a network by attaching it to an email via Outlook – it doesn't need to be read or opened to launch the payload. Even using a webmail client is enough, he claims, as an attacker can embed images using MIME cid: urls and trigger cache writes.

"[I]nstalling Sophos Antivirus exposes machines to considerable risk," he states in the report. "If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure."

The security firm reportedly received an early version of the paper on September 10, and commended Ormandy for his "responsible disclosure". Sophos and Ormandy previously clashed a few years back after he reported a Windows XP bug to Microsoft and then released the attack code five days later. Sophos called the disclosure "irresponsible" because there wasn't enough given time to fix the issue.

Sophos said on Tuesday that the bulk of the issues revealed in the report were fixed as of October 22, just 42 days later, followed by a second fix on November 5. A third patch is slated to arrive on November 28 that will address "malformed files which can cause the Sophos antivirus engine to halt," the security firm said.

"The work of Tavis Ormandy, and others like him in the research community, who choose to work alongside security companies, can significantly strengthen software products," Sophos said. "On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach."

Ormandy wasn't quite so flattering in his report, saying that Sophos originally wanted six months to fix the flaws. After negotiations, the security firm finally agreed to two months. "Sophos were able to convince me they were working with good intentions, but they were clearly ill-equipped to handle the output of one co-operative security researcher working in his spare time," he said.

Ormandy warns that Sophos products should be used on low-value non-critical systems and never deployed on networks or environments in the healthcare, government, finance and military sectors where a complete compromise by adversaries would be "inconvenient".

"As a security company, keeping customers safe is Sophos's primary responsibility," the security firm said. "As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible."

 

Contact Us for News Tips, Corrections and Feedback

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 11 Hide
    A Bad Day , November 8, 2012 11:49 PM
    Quote:
    Ormandy wasn't quite so flattering in his report, saying that Sophos originally wanted six months to fix the flaws. After negotiations, the security firm finally agreed to two months.


    This is the era where just more than a week of known vulnerability is begging for trouble, or even just hours. Completely unacceptable, especially for security companies that have highly-targeted clients.
  • 11 Hide
    joytech22 , November 8, 2012 11:11 PM
    When Google points out a flaw with a security application, they should listen and act fast.
    You don't want Google saying "Do not use *Product Name" about your product.

    That would end pretty badly.
Other Comments
  • 11 Hide
    joytech22 , November 8, 2012 11:11 PM
    When Google points out a flaw with a security application, they should listen and act fast.
    You don't want Google saying "Do not use *Product Name" about your product.

    That would end pretty badly.
  • Display all 13 comments.
  • 8 Hide
    halcyon , November 8, 2012 11:48 PM
    Sophos has never been a product I considered anyways. Too many alternatives.
  • 11 Hide
    A Bad Day , November 8, 2012 11:49 PM
    Quote:
    Ormandy wasn't quite so flattering in his report, saying that Sophos originally wanted six months to fix the flaws. After negotiations, the security firm finally agreed to two months.


    This is the era where just more than a week of known vulnerability is begging for trouble, or even just hours. Completely unacceptable, especially for security companies that have highly-targeted clients.
  • -4 Hide
    zybch , November 9, 2012 12:31 AM
    Sort of ironic that the guy from google, while attempting to discredit another company's security efforts, uses the most insecure product after flash to publish his 'findings'.
    Adobe acrobat and its dreadfully flawed and insecure .PDF format.
  • 2 Hide
    jhansonxi , November 9, 2012 1:14 AM
    zybchSort of ironic that the guy from google, while attempting to discredit another company's security efforts, uses the most insecure product after flash to publish his 'findings'.Adobe acrobat and its dreadfully flawed and insecure .PDF format.
    Many applications can create PDF files, including LibreOffice. The document properties of the report indicate Documill was used.
  • -1 Hide
    Anonymous , November 9, 2012 1:44 AM
    Ha! Sophos is what GE Healthcare uses. It is a massive POS, but is GE, so I guess they go hand in hand.
  • 0 Hide
    Anonymous , November 9, 2012 2:21 AM
    Why does trying to access the PDF give me an "Invalid Certificate" warning on Firefox?
  • 0 Hide
    SGTgimpy , November 9, 2012 4:18 AM
    Actually Sophos is one of the better Anti-virus system out there and talking about issues, McAfee anyone. Oops sorry everyone for sending out a patch that not only made the original issue worse but now you can no longer access the internet because we messed up for hte 4 th time in a year. See you next week when we may fix it.

    No Anti-Virus software is 100% perfect and I know they all of have at least one nasty flaw that exist but what these people that find these flaws don't really mention is the extreme rare and off the wall circumstances that have to exist to take advantage of the exploit at which point You deserve to get screwed no matter what AV you’re using if you let your security get that bad.

    And anyone in a large corporation not using a gateway level mail and content filtering appliance for communication security needs to look for another line of work. I think Client based software solutions went out back in the 90's.
  • 2 Hide
    digiex , November 9, 2012 6:14 AM
    he states that the flaws were caused by "poor development practices and coding standards."

    This hurts, for the programmers of Sophos.
  • -1 Hide
    Thunderfox , November 9, 2012 10:53 AM
    How long until Sophos sues him?
  • 1 Hide
    halcyon , November 9, 2012 12:20 PM
    ThunderfoxHow long until Sophos sues him?

    For what? Being honest?
  • 0 Hide
    unoriginal1 , November 9, 2012 1:37 PM
    Lol anyone else have a "grand" time with the Sophos false positive they released in one of their updates? Was about... 2-3 months ago if I remember right. Sophos has always prided themselves on being the go to guys for large business's. But that was a huge ding in their reputation. And now having someone like Google publicly saying they are flawed :/ . Could be a bumpy road for them.
  • -1 Hide
    zybch , November 9, 2012 5:28 PM
    jhansonxiMany applications can create PDF files, including LibreOffice. The document properties of the report indicate Documill was used.


    The .PDF format is hopelessly insecure and a vehicle for malware. It doesn't matter which program you use to create the file, its a bad format that should have been dumped years ago but, just like the bloated mess that is Photoshop, its inertia has prevented any other better product from making inroads.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS