Google security researcher: Keep Sophos away from high value systems

Sophos too slow for organisations using it to defend against motivated attackers.

Google security engineer Tavis Ormandy discovered several flaws in Sophos antivirus and says the product should be kept away from high value information systems unless the company can avoid easy mistakes and issue patches faster.

Ormandy has released a scathing 30-page analysis “Sophail: Applied attacks against Sophos Antivirus”, in which he details several flaws “caused by poor development practices and coding standards”, topped off by the company’s sluggishly response to the warning he had working exploits for those flaws.

One of the exploits Ormandy details is for a flaw in Sophos‘ on-access scanner, which could be used to unleash a worm on a network simply by targeting a company receiving an attack email via Outlook. Although the example he provided was on a Mac, the “wormable, pre-authentication, zero-interaction, remote root” affected all platforms running Sophos.

Ormandy released the paper (PDF) as an independent security researcher and concludes: “[I]nstalling Sophos Antivirus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure.”

The Google security engineer courted controversy two years ago after he released attack code for a Microsoft Windows XP bug just five days after reporting it to Microsoft. He appears to have made no such error this time, giving Sophos two months to fix the flaws.

At the time Sophos security consultant Graham Cluley joined the chorus of security professionals that labelled his disclosure “irresponsible”. However, this time Sophos commended Ormandy for his “responsible disclosure”.

Sophos, which received an early version of Ormandy’s paper on September 10, issued a terse statement on its blog, noting that the bulk of vulnerabilities had been fixed and that the company had not seen the fixed flaws being exploited in the wild. It plans on releasing further fixes on November 28 for a bug that allows “malformed files” to cause Sophos to halt.

While Sophos commended Ormandy for "responsible disclosure" -- or keeping the flaws under wraps until it had patched them -- Ormandy’s assessment of Sophos’ response is less than flattering and contributes to his conclusion it is not fit for high value systems.

Sophos initially estimated it would take six months to produce a patch that involved fixing a “single line of code”. According to Ormandy, Sophos subsequently agreed to two months.

“From this interaction we can conclude that for the simplest vulnerabilities, Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit. Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency plans to handle this scenario if you choose to continue deploying Sophos,” he writes.

One issue Sophos has now fixed was its Buffer Overflow Protection System (BOPS), which incorrectly disabled the operating system level anti-exploitation technology, Address Space Layout Randomisation (ASLR), in Windows Vista and later.

Ormandy found that BOPS, designed to provide “faux-ASLR” to XP systems, disabled it in Vista and later, “allowing attackers to develop reliable exploits for what might otherwise have been safe systems.”

The researcher recommends businesses that use Sophos devise a “contingency plan” to “disable Sophos installations across your fleet with short notice” and exclude it from use on high value networks.

“Sophos claim their products are deployed throughout healthcare, government, finance and even the military. The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient,” writes Ormandy.

Ormandy’s final impression of Sophos after negotiating details of his paper over the two months to November 2 was the company was “working with good intentions” but “ill-equipped to handle the output of one co-operative security researcher working in his spare time.”

“It’s important to note that no attacker would share their attack with Sophos in advance of simply using it to compromise their target,” wrote Ormandy.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags sophosGoogle securityTavis Ormandyantivirus

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place