Google security engineer Tavis Ormandy discovered several flaws in Sophos antivirus and says the product should be kept away from high value information systems unless the company can avoid easy mistakes and issue patches faster.
Ormandy has released a scathing 30-page analysis “Sophail: Applied attacks against Sophos Antivirus”, in which he details several flaws “caused by poor development practices and coding standards”, topped off by the company’s sluggishly response to the warning he had working exploits for those flaws.
One of the exploits Ormandy details is for a flaw in Sophos‘ on-access scanner, which could be used to unleash a worm on a network simply by targeting a company receiving an attack email via Outlook. Although the example he provided was on a Mac, the “wormable, pre-authentication, zero-interaction, remote root” affected all platforms running Sophos.
Ormandy released the paper (PDF) as an independent security researcher and concludes: “[I]nstalling Sophos Antivirus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure.”
The Google security engineer courted controversy two years ago after he released attack code for a Microsoft Windows XP bug just five days after reporting it to Microsoft. He appears to have made no such error this time, giving Sophos two months to fix the flaws.
At the time Sophos security consultant Graham Cluley joined the chorus of security professionals that labelled his disclosure “irresponsible”. However, this time Sophos commended Ormandy for his “responsible disclosure”.
Sophos, which received an early version of Ormandy’s paper on September 10, issued a terse statement on its blog, noting that the bulk of vulnerabilities had been fixed and that the company had not seen the fixed flaws being exploited in the wild. It plans on releasing further fixes on November 28 for a bug that allows “malformed files” to cause Sophos to halt.
While Sophos commended Ormandy for "responsible disclosure" -- or keeping the flaws under wraps until it had patched them -- Ormandy’s assessment of Sophos’ response is less than flattering and contributes to his conclusion it is not fit for high value systems.
Sophos initially estimated it would take six months to produce a patch that involved fixing a “single line of code”. According to Ormandy, Sophos subsequently agreed to two months.
“From this interaction we can conclude that for the simplest vulnerabilities, Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit. Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency plans to handle this scenario if you choose to continue deploying Sophos,” he writes.
One issue Sophos has now fixed was its Buffer Overflow Protection System (BOPS), which incorrectly disabled the operating system level anti-exploitation technology, Address Space Layout Randomisation (ASLR), in Windows Vista and later.
Ormandy found that BOPS, designed to provide “faux-ASLR” to XP systems, disabled it in Vista and later, “allowing attackers to develop reliable exploits for what might otherwise have been safe systems.”
The researcher recommends businesses that use Sophos devise a “contingency plan” to “disable Sophos installations across your fleet with short notice” and exclude it from use on high value networks.
“Sophos claim their products are deployed throughout healthcare, government, finance and even the military. The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient,” writes Ormandy.
Ormandy’s final impression of Sophos after negotiating details of his paper over the two months to November 2 was the company was “working with good intentions” but “ill-equipped to handle the output of one co-operative security researcher working in his spare time.”
“It’s important to note that no attacker would share their attack with Sophos in advance of simply using it to compromise their target,” wrote Ormandy.