Multiple critical flaws flagged in Sophos

By on
Multiple critical flaws flagged in Sophos

Exploit could be "wormed within days".

Multiple vulnerabilities in Sophos security software and an exploit have been publicly disclosed.

Google researcher Tavis Ormandy said the security professionals should "exclude Sophos products from consideration for high value networks and assets" in a paper (pdf) released overnight.

He described a series of Windows, Mac, and Linux  vulnerabilities in the paper that affect third party routers, VPN gateways and corporate proxies licensed to use Sophos core software.

Ormandy gave examples of design problems in Sophos software which required "urgent attention from affected administrators".

In addition, he outlined "pre-authentication remote root exploit that requires zero-interation, and could be wormed within the next few days".

"Installing Sophos anti-virus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure," he wrote on the Full Disclosure mailing list.

"A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease."

Sophos mitigated three of the issues in Ormandy's paper last month, and was rolling out patches.

It was examining new vulnerabilities and expected to issue fixes on 28 November.

Ormandy told SC users could only protect themselves by uninstalling Sophos software on critical networks.

He criticised Sophos on the grounds that the company "were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher."

"Sophos cannot react quickly to reports of vulnerabilities in their products, even when presented with working exploits," Ormandy said.

"Should an attacker attempt to use Sophos as a conduit into your network, Sophos will not be able to react or help resolve the problem for some time."

The company thanked Ormandy, and said keeping customers safe was "Sophos's primary responsibility". It outlined patched vulnerabilities in a blog post.

  • A remote code execution vulnerability was discovered in how the Sophos anti-virus engine scans malformed Visual Basic 6 compiled files. Fix rolled out 22 October.
  • A remote code execution vulnerability was discovered in how the Sophos anti-virus engine scans malformed PDF files. Fix rolled out 5 November.
  • The Sophos web protection and web control Layered Service Provider (LSP) block page was found to include a XSS flaw. Fix rolled out 22 October.
  • Vulnerabilities were found in how Sophos's anti-virus engine handles malformed CAB and RAR files. These vulnerabilities could cause the Sophos engine to corrupt memory. Roll-out of a fix for the vulnerability related to malformed CAB files completed 22 October. Roll-out of a fix for the vulnerability related to malformed RAR files began on 5 November. 
  • An issue was identified with the BOPS technology in Sophos Anti-Virus for Windows and how it interacted with ASLR on Windows Vista and later.  Fix rolled out 22 October.
  • An issue was identified in how Sophos protection interacts with Internet Explorer's Protected Mode.  Fix rolled out from 5 November.

With Darren Pauli.

Copyright © SC Magazine, UK edition
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?