Multiple vulnerabilities in Sophos security software and an exploit have been publicly disclosed.
Google researcher Tavis Ormandy said the security professionals should "exclude Sophos products from consideration for high value networks and assets" in a paper (pdf) released overnight.
He described a series of Windows, Mac, and Linux vulnerabilities in the paper that affect third party routers, VPN gateways and corporate proxies licensed to use Sophos core software.
Ormandy gave examples of design problems in Sophos software which required "urgent attention from affected administrators".
In addition, he outlined "pre-authentication remote root exploit that requires zero-interation, and could be wormed within the next few days".
"Installing Sophos anti-virus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure," he wrote on the Full Disclosure mailing list.
"A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease."
Sophos mitigated three of the issues in Ormandy's paper last month, and was rolling out patches.
It was examining new vulnerabilities and expected to issue fixes on 28 November.
Ormandy told SC users could only protect themselves by uninstalling Sophos software on critical networks.
He criticised Sophos on the grounds that the company "were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher."
"Sophos cannot react quickly to reports of vulnerabilities in their products, even when presented with working exploits," Ormandy said.
"Should an attacker attempt to use Sophos as a conduit into your network, Sophos will not be able to react or help resolve the problem for some time."
The company thanked Ormandy, and said keeping customers safe was "Sophos's primary responsibility". It outlined patched vulnerabilities in a blog post.
With Darren Pauli.
Copyright © SC Magazine, UK edition
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.