Multiple critical flaws flagged in Sophos

Multiple vulnerabilities in Sophos security software and an exploit have been publicly disclosed.

Google researcher Tavis Ormandy said the security professionals should "exclude Sophos products from consideration for high value networks and assets" in a paper (pdf) released overnight.

He described a series of Windows, Mac, and Linux  vulnerabilities in the paper that affect third party routers, VPN gateways and corporate proxies licensed to use Sophos core software.

Ormandy gave examples of design problems in Sophos software which required "urgent attention from affected administrators".

In addition, he outlined "pre-authentication remote root exploit that requires zero-interation, and could be wormed within the next few days".

"Installing Sophos anti-virus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure," he wrote on the Full Disclosure mailing list.

"A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease."

Sophos mitigated three of the issues in Ormandy's paper last month, and was rolling out patches.

It was examining new vulnerabilities and expected to issue fixes on 28 November.

Ormandy told SC users could only protect themselves by uninstalling Sophos software on critical networks.

He criticised Sophos on the grounds that the company "were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher."

"Sophos cannot react quickly to reports of vulnerabilities in their products, even when presented with working exploits," Ormandy said.

"Should an attacker attempt to use Sophos as a conduit into your network, Sophos will not be able to react or help resolve the problem for some time."

The company thanked Ormandy, and said keeping customers safe was "Sophos's primary responsibility". It outlined patched vulnerabilities in a blog post.

• A remote code execution vulnerability was discovered in how the Sophos anti-virus engine scans malformed Visual Basic 6 compiled files. Fix rolled out 22 October.
• A remote code execution vulnerability was discovered in how the Sophos anti-virus engine scans malformed PDF files. Fix rolled out 5 November.
• The Sophos web protection and web control Layered Service Provider (LSP) block page was found to include a XSS flaw. Fix rolled out 22 October.
• Vulnerabilities were found in how Sophos's anti-virus engine handles malformed CAB and RAR files. These vulnerabilities could cause the Sophos engine to corrupt memory. Roll-out of a fix for the vulnerability related to malformed CAB files completed 22 October. Roll-out of a fix for the vulnerability related to malformed RAR files began on 5 November. 
• An issue was identified with the BOPS technology in Sophos Anti-Virus for Windows and how it interacted with ASLR on Windows Vista and later.  Fix rolled out 22 October.
• An issue was identified in how Sophos protection interacts with Internet Explorer's Protected Mode.  Fix rolled out from 5 November.

With Darren Pauli.