Corporate Partners

Google security researcher: Keep Sophos away from high value systems

Sophos too slow for organisations using it to defend against motivated attackers.

Google security engineer Tavis Ormandy discovered several flaws in Sophos antivirus and says the product should be kept away from high value information systems unless the company can avoid easy mistakes and issue patches faster.

Ormandy has released a scathing 30-page analysis “Sophail: Applied attacks against Sophos Antivirus”, in which he details several flaws “caused by poor development practices and coding standards”, topped off by the company’s sluggishly response to the warning he had working exploits for those flaws.

One of the exploits Ormandy details is for a flaw in Sophos‘ on-access scanner, which could be used to unleash a worm on a network simply by targeting a company receiving an attack email via Outlook. Although the example he provided was on a Mac, the “wormable, pre-authentication, zero-interaction, remote root” affected all platforms running Sophos.

Ormandy released the paper (PDF) as an independent security researcher and concludes: “[I]nstalling Sophos Antivirus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure.”

The Google security engineer courted controversy two years ago after he released attack code for a Microsoft Windows XP bug just five days after reporting it to Microsoft. He appears to have made no such error this time, giving Sophos two months to fix the flaws.

At the time Sophos security consultant Graham Cluley joined the chorus of security professionals that labelled his disclosure “irresponsible”. However, this time Sophos commended Ormandy for his “responsible disclosure”.

Sophos, which received an early version of Ormandy’s paper on September 10, issued a terse statement on its blog, noting that the bulk of vulnerabilities had been fixed and that the company had not seen the fixed flaws being exploited in the wild. It plans on releasing further fixes on November 28 for a bug that allows “malformed files” to cause Sophos to halt.

While Sophos commended Ormandy for "responsible disclosure" -- or keeping the flaws under wraps until it had patched them -- Ormandy’s assessment of Sophos’ response is less than flattering and contributes to his conclusion it is not fit for high value systems.

Sophos initially estimated it would take six months to produce a patch that involved fixing a “single line of code”. According to Ormandy, Sophos subsequently agreed to two months.

“From this interaction we can conclude that for the simplest vulnerabilities, Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit. Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency plans to handle this scenario if you choose to continue deploying Sophos,” he writes.

One issue Sophos has now fixed was its Buffer Overflow Protection System (BOPS), which incorrectly disabled the operating system level anti-exploitation technology, Address Space Layout Randomisation (ASLR), in Windows Vista and later.

Ormandy found that BOPS, designed to provide “faux-ASLR” to XP systems, disabled it in Vista and later, “allowing attackers to develop reliable exploits for what might otherwise have been safe systems.”

The researcher recommends businesses that use Sophos devise a “contingency plan” to “disable Sophos installations across your fleet with short notice” and exclude it from use on high value networks.

“Sophos claim their products are deployed throughout healthcare, government, finance and even the military. The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient,” writes Ormandy.

Ormandy’s final impression of Sophos after negotiating details of his paper over the two months to November 2 was the company was “working with good intentions” but “ill-equipped to handle the output of one co-operative security researcher working in his spare time.”

“It’s important to note that no attacker would share their attack with Sophos in advance of simply using it to compromise their target,” wrote Ormandy.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags sophosGoogle securityTavis Ormandyantivirus




Why are Google spending time and effort looking for flaws in Sophos's software? Are they also testing Trend, McAfee and Symantec?



He posted it as an independent researcher doing research in his own time. It's pretty explosive stuff, not just the vulnerabilties, as we all know all software has them but the response is the key thing.



Sophos has flaws huh? Well, this certainly is breaking news that there are vulnerabilities in software, glad this guy who has some sort of vendetta against Sophos has pointed that out (Ormandy has been at this for years now). Why doesn't he see how vulnerable systems are which use what @Mitch commented about?

I will agree that patching flaws in your software shouldn't take 6 months, nor even 2 months, but it's not just a simple matter of "fixing a flaw" and auto-releasing it without doing proper testing. Microsoft has done that way too many times and how many times have your systems crashed because you auto-approved a security update from Microsoft?



This is exactly why IT should deploy a tiered security solution and not rely on one vendor. I have seen countless product fail. Yes, Sophos has issues - Let's be real, so do Symantec, McAfee, Kaspersky, and the list goes on...

Deploying solutions configured like an onion (layer after layer), with differing products and levels of control works best.

If your security is so weak you are terrified about a virus, then you probably have not looked at monitoring, alerting, version control; IDS in general, and certainly not things like IP theft control.

Lock things down, build a stable environment with reasonable policies (continually enforced), provide constant training to staff on common sense things like "don't go to that link" or "BBB and IRS never use email for sending notices" and you will be much safer. Your users will become your first line of defense!

Keep an eye on your bandwidth and monitoring and you will quickly know if something is awry.

Troy Rose


Not _really_ sure why Google are picking on Sophos all of a sudden.

Historically, Trend Micro are the worst!

Google: "trend micro"

I personally think an independent analysis of the major top AV vendors and the security they represent (or misrepresent ) is in order.

Having said that, it is a little disappointing that the tools and software that people rely on to protect themselves also leave themselves open to attack.

That's a conundrum in itself. Could an antivirus program detect and prevent an attack on itself that is specifcially targetted against itself? Or is there a gap in the market for anti-anti-virus security (or on the flipside anti-virus viruses??).

Could Sophos turn this all around and create a virus which specifically targeted their own Sophos anti-virus security flaws to quickly release and fix this?? And what would they call this? (Perhaps: the Sophos anti-anti-anti-virus?)



I agree with the statements here from others. I worked at a few of these companies and if this was "really" an unbiased review it would have to contain at least 2-3 other companies if not more. I am a hacker myself and I applaud the thought of testingAV companies in hacker attacks. This is part of proactive security (in my opinion) and points to the need for layered security architecture and theory. What I am disapointed about is what the actual truth is behind all this, we have a person who is ticked off at a company that works for Google. Whats the real truth behind this? Is google selling something? Are they buying a security company and going to put themselves up as the security guru? Who knows, I certainly don't. Tavis is a smart guy, it would have done him alot more credit (to us in the security space as well to be honest) to at least look at 2-3 other AV companies and really do the research as a scientist (keeping things objective). This research would really have opened up a healthy discussion instead of a flaming match, etc. I know he can do real research and that he is smart, but this smells like personal and political more than really wanting AV software (as a whole) to improve.

Another aspect to all this is that we are now entering into a new arms race that sees units of country sponsored hackers that are changing the entire landscape of AV and security in general. We really need to do our jobs better, faster and easier or we could be heading for more trouble. If we are going to talk about moving forward as professionals we need to know what we don't know.

Comments are now closed

Market Place