Researcher Finds Critical Vulnerabilities in Sophos Antivirus ProductAdded 7th Nov 2012
Security researcher Tavis Ormandy discovered critical vulnerabilities in the antivirus product developed by U.K.-based security firm Sophos and advised organizations to avoid using the product on critical systems unless the vendor improves its product development, quality assurance and security response practices.
Ormandy, who works as an information security engineer at Google, disclosed details about the vulnerabilities he found in a research paper entitled "Sophail: Applied attacks against Sophos Antivirus" that was published on Monday. Ormandy noted that the research was performed in his spare time and that the views expressed in the paper are his own and not those of his employer.
The paper contains details about several vulnerabilities in the Sophos antivirus code responsible for parsing Visual Basic 6, PDF, CAB and RAR files. Some of these flaws can be attacked remotely and can result in the execution of arbitrary code on the system.
Ormandy even included a proof-of-concept exploit for the PDF parsing vulnerability which he claims requires no user interaction, no authentication and can be easily transformed into a self-spreading worm.
The researcher built the exploit for the Mac version of Sophos antivirus, but noted that the vulnerability also affects Windows and Linux versions of the product and the exploit can easily be translated to those platforms.
The PDF parsing vulnerability can be exploited by simply receiving an email in Outlook or Mail.app, Ormandy said in the paper. Because Sophos antivirus automatically intercepts input and output (I/O) operations, opening or reading the email is not even necessary.
"The most realistic attack scenario for a global network worm is self-propagation via email," Ormandy said. "No users are required to interact with the email, as the vulnerability will be automatically exploited."
However, other attack methods are also possible -- for example, by opening any file of any type provided by an attacker; visiting a URL (even in a sandboxed browser), or embedding images using MIME cid: URLs into an email that is opened in a webmail client,the researcher said. "Any method an attacker can use to cause I/O is enough to exploit this vulnerability."
Ormandy also found that a component called the "Buffer Overflow Protection System" (BOPS) that's bundled with Sophos antivirus, disables the ASLR (address space layout randomization) exploit mitigation feature on all Windows versions that support it by default, including Vista and later.
"It is simply inexcusable to disable ASLR systemwide like this, especially in order to sell a naive alternative to customers that is functionally poorer than that provided by Microsoft," Ormandy said.
A website blacklisting component for Internet Explorer installed by Sophos antivirus cancels the protection offered by the browser's Protected Mode feature, the researcher said. In addition, the template used to display warnings by the blacklisting component introduces a universal cross-site scripting vulnerability that defeats the browser's Same Origin Policy.
The Same Origin Policy is "one of the fundamental security mechanisms that makes the internet safe to use," Ormandy said. "With the Same Origin Policy defeated, a malicious website can interact with your Mail, Intranet Systems, Registrar, Banks and Payroll systems, and so on."
Ormandy's comments throughout the paper suggest that many of these vulnerabilities should have been caught during the product development and quality assurance processes.
The researcher shared his findings with Sophos in advance and the company released security fixes for the vulnerabilities disclosed in the paper. Some of the fixes were rolled out on Oct. 22, while the others were released on Nov. 5, the company said Monday in a blog post.
There are still some potentially exploitable issues discovered by Ormandy through fuzzing -- a security testing method -- that were shared with Sophos, but weren't publicly disclosed. Those issues are being examined and fixes for them will start to be rolled out on Nov. 28, the company said.
"As a security company, keeping customers safe is Sophos's primary responsibility," Sophos said. "As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible."
"It's good that Sophos has been able to deliver the suite of fixes within weeks, and without disrupting customers' usual operations," Graham Cluley, a senior technology consultant at Sophos, said Tuesday via email. "We are grateful that Tavis Ormandy found the vulnerabilities, as this has helped make Sophos's products better."
However, Ormandy wasn't satisfied with the time it took Sophos to patch the critical vulnerabilities he reported. The issues were reported to the company on September 10, he said.
"In response to early access to this report, Sophos did allocate some resources to resolve the issues discussed, however they were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher," Ormandy said. "A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease."
"Sophos claim their products are deployed throughout healthcare, government, finance and even the military," the researcher said. "The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient."
Ormandy's paper contains a section that describes best practices and includes the researcher's recommendations for Sophos customers, like implementing contingency plans that would allow them to disable Sophos antivirus installations on short notice.
"Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit," he said. "Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency plans to handle this scenario if you choose to continue deploying Sophos."
A phenomenal idea that reveals the damage traditional toys have had on our children and facilities how we can encourage our girls to take up careers in science, technology, engineering and mathematics.
A new commercial tool designed to allow cybercriminals to easily transform legitimate Android applications into malicious software has hit the underground market, paving the way for cheap and easy development of sophisticated Android malware.
Malware often does strange things, but this one -- which looked like Skype installed on a corporate domain controller -- was most "peculiar," says Jim Butterworth, a security expert at ManTech International, whose security subsidiary HBGary recently found the custom-designed remote-access Trojan on a customer's network.
Microsoft will deliver five security updates to customers next week, two tagged as "critical," including one that will quash the open vulnerability in Internet Explorer that hackers have been exploiting since January.
Having lots of Wi-Fi networks packed into a condominium or apartment building can hurt everyone's wireless performance, but Stanford University researchers say they've found a way to turn crowding into an advantage.
Organizations can now add machine-generated data to their palate of information sources that can be aggregated and analyzed, thanks to a new connector jointly developed by Tableau Software, a provider of business intelligence software, and Splunk, which sells a log-file search engine.
The Tor network is in danger of being swamped by criminals abusing its anonymity to hide an underworld of parasitic botnets, malicious command and control and ‘darknet' markets, according to research from Kaspersky Lab.
Rogue adverts that use social engineering to persuade users to install malware have displaced porn as the leading method of attack on mobile devices, according to a report from security firm Blue Coat.
A convoluted web of applications is stunting the digital transformation of the world's biggest international organisations.
Goldman Sachs has been doing SDNs for a long time. It just wasn't called SDNs when the investment giant invested in network programmability. It was just a bunch of APIs, software development kits and other code used to cobble together a large number of various specialized networks – trading, investment banking and the like -- across the globe.
Bitcoin's biggest mystery has finally been solved: The crypto-currency's creator, Satoshi Nakamoto, has finally been unmasked. Well, maybe.
When it comes to mobile devices, it's well known that malware writers like to target Android. But a threat report published today by security firm F-Secure puts in perspective why Android malware attacks often flop and why Android itself is no pushover.
Shipments of new PCs, most of them equipped with Microsoft Windows, will decline more in 2014 than thought a few months ago, according to IDC.
SAN JOSE -- In an effort simplify enterprise customer procurements, Cisco is implementing a licensing model for data center, WAN and access product purchases.
Challenging Microsoft's Windows Azure on its own turf, Red Hat is ramping up services that would offer Microsoft .NET and SQL Server capabilities on its OpenShift platform as a service (PaaS).