Researcher finds critical vulnerabilities in Sophos antivirus product

Sophos antivirus should only be considered for low-value non-critical systems, the researcher said

Security researcher Tavis Ormandy discovered critical vulnerabilities in the antivirus product developed by U.K.-based security firm Sophos and advised organizations to avoid using the product on critical systems unless the vendor improves its product development, quality assurance and security response practices.

Ormandy, who works as an information security engineer at Google, disclosed details about the vulnerabilities he found in a research paper entitled "Sophail: Applied attacks against Sophos Antivirus" that was published on Monday. Ormandy noted that the research was performed in his spare time and that the views expressed in the paper are his own and not those of his employer.

The paper contains details about several vulnerabilities in the Sophos antivirus code responsible for parsing Visual Basic 6, PDF, CAB and RAR files. Some of these flaws can be attacked remotely and can result in the execution of arbitrary code on the system.

Ormandy even included a proof-of-concept exploit for the PDF parsing vulnerability which he claims requires no user interaction, no authentication and can be easily transformed into a self-spreading worm.

The researcher built the exploit for the Mac version of Sophos antivirus, but noted that the vulnerability also affects Windows and Linux versions of the product and the exploit can easily be translated to those platforms.

The PDF parsing vulnerability can be exploited by simply receiving an email in Outlook or, Ormandy said in the paper. Because Sophos antivirus automatically intercepts input and output (I/O) operations, opening or reading the email is not even necessary.

"The most realistic attack scenario for a global network worm is self-propagation via email," Ormandy said. "No users are required to interact with the email, as the vulnerability will be automatically exploited."

However, other attack methods are also possible -- for example, by opening any file of any type provided by an attacker; visiting a URL (even in a sandboxed browser), or embedding images using MIME cid: URLs into an email that is opened in a webmail client,the researcher said. "Any method an attacker can use to cause I/O is enough to exploit this vulnerability."

Ormandy also found that a component called the "Buffer Overflow Protection System" (BOPS) that's bundled with Sophos antivirus, disables the ASLR (address space layout randomization) exploit mitigation feature on all Windows versions that support it by default, including Vista and later.

"It is simply inexcusable to disable ASLR systemwide like this, especially in order to sell a naive alternative to customers that is functionally poorer than that provided by Microsoft," Ormandy said.

A website blacklisting component for Internet Explorer installed by Sophos antivirus cancels the protection offered by the browser's Protected Mode feature, the researcher said. In addition, the template used to display warnings by the blacklisting component introduces a universal cross-site scripting vulnerability that defeats the browser's Same Origin Policy.

The Same Origin Policy is "one of the fundamental security mechanisms that makes the internet safe to use," Ormandy said. "With the Same Origin Policy defeated, a malicious website can interact with your Mail, Intranet Systems, Registrar, Banks and Payroll systems, and so on."

Ormandy's comments throughout the paper suggest that many of these vulnerabilities should have been caught during the product development and quality assurance processes.

The researcher shared his findings with Sophos in advance and the company released security fixes for the vulnerabilities disclosed in the paper. Some of the fixes were rolled out on Oct. 22, while the others were released on Nov. 5, the company said Monday in a blog post.

There are still some potentially exploitable issues discovered by Ormandy through fuzzing -- a security testing method -- that were shared with Sophos, but weren't publicly disclosed. Those issues are being examined and fixes for them will start to be rolled out on Nov. 28, the company said.

"As a security company, keeping customers safe is Sophos's primary responsibility," Sophos said. "As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible."

"It's good that Sophos has been able to deliver the suite of fixes within weeks, and without disrupting customers' usual operations," Graham Cluley, a senior technology consultant at Sophos, said Tuesday via email. "We are grateful that Tavis Ormandy found the vulnerabilities, as this has helped make Sophos's products better."

However, Ormandy wasn't satisfied with the time it took Sophos to patch the critical vulnerabilities he reported. The issues were reported to the company on September 10, he said.

"In response to early access to this report, Sophos did allocate some resources to resolve the issues discussed, however they were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher," Ormandy said. "A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease."

"Sophos claim their products are deployed throughout healthcare, government, finance and even the military," the researcher said. "The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient."

Ormandy's paper contains a section that describes best practices and includes the researcher's recommendations for Sophos customers, like implementing contingency plans that would allow them to disable Sophos antivirus installations on short notice.

"Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit," he said. "Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency plans to handle this scenario if you choose to continue deploying Sophos."

Join the CSO newsletter!

Error: Please check your email address.

Tags patchessophosGooglesecurityDesktop securityExploits / vulnerabilitiesantivirus

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place