Google Engineer: Sophos Antivirus Not Safe for Businesses

Several flaws were recently discovered in the Sophos Antivirus client that now has Google security engineer Tavis Ormandy requesting that the software be kept away from high value information systems.

According to Ormandy, one exploit is for a flaw located in Sophos' on-access scanner. This exploit could be used to unleash a worm on a network by attaching it to an email via Outlook – it doesn't need to be read or opened to launch the payload. Even using a webmail client is enough, he claims, as an attacker can embed images using MIME cid: urls and trigger cache writes.

"[I]nstalling Sophos Antivirus exposes machines to considerable risk," he states in the report. "If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure."

The security firm reportedly received an early version of the paper on September 10, and commended Ormandy for his "responsible disclosure". Sophos and Ormandy previously clashed a few years back after he reported a Windows XP bug to Microsoft and then released the attack code five days later. Sophos called the disclosure "irresponsible" because there wasn't enough given time to fix the issue.

Sophos said on Tuesday that the bulk of the issues revealed in the report were fixed as of October 22, just 42 days later, followed by a second fix on November 5. A third patch is slated to arrive on November 28 that will address "malformed files which can cause the Sophos antivirus engine to halt," the security firm said.

"The work of Tavis Ormandy, and others like him in the research community, who choose to work alongside security companies, can significantly strengthen software products," Sophos said. "On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach."

Ormandy wasn't quite so flattering in his report, saying that Sophos originally wanted six months to fix the flaws. After negotiations, the security firm finally agreed to two months. "Sophos were able to convince me they were working with good intentions, but they were clearly ill-equipped to handle the output of one co-operative security researcher working in his spare time," he said.

Ormandy warns that Sophos products should be used on low-value non-critical systems and never deployed on networks or environments in the healthcare, government, finance and military sectors where a complete compromise by adversaries would be "inconvenient".

"As a security company, keeping customers safe is Sophos's primary responsibility," the security firm said. "As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible."

_{Contact Us for News Tips, Corrections and Feedback}

TOPICS

Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then, he’s loved all things PC-related and cool gadgets ranging from the New Nintendo 3DS to Android tablets. He is currently a contributor at Digital Trends, writing about everything from computers to how-to content on Windows and Macs to reviews of the latest laptops from HP, Dell, Lenovo, and more.

13 Comments Comment from the forums

joytech22

When Google points out a flaw with a security application, they should listen and act fast.
You don't want Google saying "Do not use *Product Name" about your product.

That would end pretty badly.
Reply
halcyon

Sophos has never been a product I considered anyways. Too many alternatives.
Reply
A Bad Day

Ormandy wasn't quite so flattering in his report, saying that Sophos originally wanted six months to fix the flaws. After negotiations, the security firm finally agreed to two months.

This is the era where just more than a week of known vulnerability is begging for trouble, or even just hours. Completely unacceptable, especially for security companies that have highly-targeted clients.
Reply
zybch

Sort of ironic that the guy from google, while attempting to discredit another company's security efforts, uses the most insecure product after flash to publish his 'findings'.
Adobe acrobat and its dreadfully flawed and insecure .PDF format.
Reply
jhansonxi

zybchSort of ironic that the guy from google, while attempting to discredit another company's security efforts, uses the most insecure product after flash to publish his 'findings'.Adobe acrobat and its dreadfully flawed and insecure .PDF format.Many applications can create PDF files, including LibreOffice. The document properties of the report indicate Documill was used.

Reply
Ha! Sophos is what GE Healthcare uses. It is a massive POS, but is GE, so I guess they go hand in hand.
Reply
Why does trying to access the PDF give me an "Invalid Certificate" warning on Firefox?
Reply
SGTgimpy

Actually Sophos is one of the better Anti-virus system out there and talking about issues, McAfee anyone. Oops sorry everyone for sending out a patch that not only made the original issue worse but now you can no longer access the internet because we messed up for hte 4 th time in a year. See you next week when we may fix it.

No Anti-Virus software is 100% perfect and I know they all of have at least one nasty flaw that exist but what these people that find these flaws don't really mention is the extreme rare and off the wall circumstances that have to exist to take advantage of the exploit at which point You deserve to get screwed no matter what AV you’re using if you let your security get that bad.

And anyone in a large corporation not using a gateway level mail and content filtering appliance for communication security needs to look for another line of work. I think Client based software solutions went out back in the 90's.
Reply
digiex

he states that the flaws were caused by "poor development practices and coding standards."

This hurts, for the programmers of Sophos.
Reply
Thunderfox

How long until Sophos sues him?
Reply

Show more comments