Several flaws were recently discovered in the Sophos Antivirus client that now has Google security engineer Tavis Ormandy requesting that the software be kept away from high value information systems.
Ormandy's findings were released in a 30-page analysis called "Sophail: Applied Attacks Against Sophos Antivirus" (PDF). In the report, he states that the flaws were caused by "poor development practices and coding standards." He also claims that Sophos was rather slow in its response to his warnings that he already had working exploits locked and loaded for those very flaws.
According to Ormandy, one exploit is for a flaw located in Sophos' on-access scanner. This exploit could be used to unleash a worm on a network by attaching it to an email via Outlook – it doesn't need to be read or opened to launch the payload. Even using a webmail client is enough, he claims, as an attacker can embed images using MIME cid: urls and trigger cache writes.
"[I]nstalling Sophos Antivirus exposes machines to considerable risk," he states in the report. "If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure."
The security firm reportedly received an early version of the paper on September 10, and commended Ormandy for his "responsible disclosure". Sophos and Ormandy previously clashed a few years back after he reported a Windows XP bug to Microsoft and then released the attack code five days later. Sophos called the disclosure "irresponsible" because there wasn't enough given time to fix the issue.
Sophos said on Tuesday that the bulk of the issues revealed in the report were fixed as of October 22, just 42 days later, followed by a second fix on November 5. A third patch is slated to arrive on November 28 that will address "malformed files which can cause the Sophos antivirus engine to halt," the security firm said.
"The work of Tavis Ormandy, and others like him in the research community, who choose to work alongside security companies, can significantly strengthen software products," Sophos said. "On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach."
Ormandy wasn't quite so flattering in his report, saying that Sophos originally wanted six months to fix the flaws. After negotiations, the security firm finally agreed to two months. "Sophos were able to convince me they were working with good intentions, but they were clearly ill-equipped to handle the output of one co-operative security researcher working in his spare time," he said.
Ormandy warns that Sophos products should be used on low-value non-critical systems and never deployed on networks or environments in the healthcare, government, finance and military sectors where a complete compromise by adversaries would be "inconvenient".
"As a security company, keeping customers safe is Sophos's primary responsibility," the security firm said. "As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible."