- Oct 3, 2012
- 472
A Google engineer claims that the Sophos Antivirus client shouldn't be used in high value information systems located in government, healthcare and military sectors.
Several flaws were recently discovered in the Sophos Antivirus client that now has Google security engineer Tavis Ormandy requesting that the software be kept away from high value information systems.
Ormandy's findings were released in a 30-page analysis called "Sophail: Applied Attacks Against Sophos Antivirus" (PDF). In the report, he states that the flaws were caused by "poor development practices and coding standards." He also claims that Sophos was rather slow in its response to his warnings that he already had working exploits locked and loaded for those very flaws.
According to Ormandy, one exploit is for a flaw located in Sophos' on-access scanner. This exploit could be used to unleash a worm on a network by attaching it to an email via Outlook – it doesn't need to be read or opened to launch the payload. Even using a webmail client is enough, he claims, as an attacker can embed images using MIME cid: urls and trigger cache writes.
"nstalling Sophos Antivirus exposes machines to considerable risk," he states in the report. "If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure."
The security firm reportedly received an early version of the paper on September 10, and commended Ormandy for his "responsible disclosure". Sophos and Ormandy previously clashed a few years back after he reported a Windows XP bug to Microsoft and then released the attack code five days later. Sophos called the disclosure "irresponsible" because there wasn't enough given time to fix the issue.
Sophos said on Tuesday that the bulk of the issues revealed in the report were fixed as of October 22, just 42 days later, followed by a second fix on November 5. A third patch is slated to arrive on November 28 that will address "malformed files which can cause the Sophos antivirus engine to halt," the security firm said.
Source
Several flaws were recently discovered in the Sophos Antivirus client that now has Google security engineer Tavis Ormandy requesting that the software be kept away from high value information systems.
Ormandy's findings were released in a 30-page analysis called "Sophail: Applied Attacks Against Sophos Antivirus" (PDF). In the report, he states that the flaws were caused by "poor development practices and coding standards." He also claims that Sophos was rather slow in its response to his warnings that he already had working exploits locked and loaded for those very flaws.
According to Ormandy, one exploit is for a flaw located in Sophos' on-access scanner. This exploit could be used to unleash a worm on a network by attaching it to an email via Outlook – it doesn't need to be read or opened to launch the payload. Even using a webmail client is enough, he claims, as an attacker can embed images using MIME cid: urls and trigger cache writes.
"nstalling Sophos Antivirus exposes machines to considerable risk," he states in the report. "If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure."
The security firm reportedly received an early version of the paper on September 10, and commended Ormandy for his "responsible disclosure". Sophos and Ormandy previously clashed a few years back after he reported a Windows XP bug to Microsoft and then released the attack code five days later. Sophos called the disclosure "irresponsible" because there wasn't enough given time to fix the issue.
Sophos said on Tuesday that the bulk of the issues revealed in the report were fixed as of October 22, just 42 days later, followed by a second fix on November 5. A third patch is slated to arrive on November 28 that will address "malformed files which can cause the Sophos antivirus engine to halt," the security firm said.
Source
