Researcher Finds Critical Vulnerabilities in Sophos Antivirus ProductAdded 7th Nov 2012
Security researcher Tavis Ormandy discovered critical vulnerabilities in the antivirus product developed by U.K.-based security firm Sophos and advised organizations to avoid using the product on critical systems unless the vendor improves its product development, quality assurance and security response practices.
Ormandy, who works as an information security engineer at Google, disclosed details about the vulnerabilities he found in a research paper entitled "Sophail: Applied attacks against Sophos Antivirus" that was published on Monday. Ormandy noted that the research was performed in his spare time and that the views expressed in the paper are his own and not those of his employer.
The paper contains details about several vulnerabilities in the Sophos antivirus code responsible for parsing Visual Basic 6, PDF, CAB and RAR files. Some of these flaws can be attacked remotely and can result in the execution of arbitrary code on the system.
Ormandy even included a proof-of-concept exploit for the PDF parsing vulnerability which he claims requires no user interaction, no authentication and can be easily transformed into a self-spreading worm.
The researcher built the exploit for the Mac version of Sophos antivirus, but noted that the vulnerability also affects Windows and Linux versions of the product and the exploit can easily be translated to those platforms.
The PDF parsing vulnerability can be exploited by simply receiving an email in Outlook or Mail.app, Ormandy said in the paper. Because Sophos antivirus automatically intercepts input and output (I/O) operations, opening or reading the email is not even necessary.
"The most realistic attack scenario for a global network worm is self-propagation via email," Ormandy said. "No users are required to interact with the email, as the vulnerability will be automatically exploited."
However, other attack methods are also possible -- for example, by opening any file of any type provided by an attacker; visiting a URL (even in a sandboxed browser), or embedding images using MIME cid: URLs into an email that is opened in a webmail client,the researcher said. "Any method an attacker can use to cause I/O is enough to exploit this vulnerability."
Ormandy also found that a component called the "Buffer Overflow Protection System" (BOPS) that's bundled with Sophos antivirus, disables the ASLR (address space layout randomization) exploit mitigation feature on all Windows versions that support it by default, including Vista and later.
"It is simply inexcusable to disable ASLR systemwide like this, especially in order to sell a naive alternative to customers that is functionally poorer than that provided by Microsoft," Ormandy said.
A website blacklisting component for Internet Explorer installed by Sophos antivirus cancels the protection offered by the browser's Protected Mode feature, the researcher said. In addition, the template used to display warnings by the blacklisting component introduces a universal cross-site scripting vulnerability that defeats the browser's Same Origin Policy.
The Same Origin Policy is "one of the fundamental security mechanisms that makes the internet safe to use," Ormandy said. "With the Same Origin Policy defeated, a malicious website can interact with your Mail, Intranet Systems, Registrar, Banks and Payroll systems, and so on."
Ormandy's comments throughout the paper suggest that many of these vulnerabilities should have been caught during the product development and quality assurance processes.
The researcher shared his findings with Sophos in advance and the company released security fixes for the vulnerabilities disclosed in the paper. Some of the fixes were rolled out on Oct. 22, while the others were released on Nov. 5, the company said Monday in a blog post.
There are still some potentially exploitable issues discovered by Ormandy through fuzzing -- a security testing method -- that were shared with Sophos, but weren't publicly disclosed. Those issues are being examined and fixes for them will start to be rolled out on Nov. 28, the company said.
"As a security company, keeping customers safe is Sophos's primary responsibility," Sophos said. "As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible."
"It's good that Sophos has been able to deliver the suite of fixes within weeks, and without disrupting customers' usual operations," Graham Cluley, a senior technology consultant at Sophos, said Tuesday via email. "We are grateful that Tavis Ormandy found the vulnerabilities, as this has helped make Sophos's products better."
However, Ormandy wasn't satisfied with the time it took Sophos to patch the critical vulnerabilities he reported. The issues were reported to the company on September 10, he said.
"In response to early access to this report, Sophos did allocate some resources to resolve the issues discussed, however they were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher," Ormandy said. "A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease."
"Sophos claim their products are deployed throughout healthcare, government, finance and even the military," the researcher said. "The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient."
Ormandy's paper contains a section that describes best practices and includes the researcher's recommendations for Sophos customers, like implementing contingency plans that would allow them to disable Sophos antivirus installations on short notice.
"Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit," he said. "Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency plans to handle this scenario if you choose to continue deploying Sophos."
Akamai Technologies today has agreed to acquire Prolexic Technologies, a distributed denial-of-service (DDoS) mitigation services company, for $370 million.
Cisco Systems's third annual Global Cloud Index forecasts that global cloud traffic will more than quadruple, from 1.2 zettabytes in 2012 to 5.3 ZB in 2017.
The research firm notes that currency issues and a lack of reforms have slowed Indian IT spending growth in the current year.
The director of information architecture at agency Nomensa details the biggest design trend for 2014.
The analyst firm expects that by 2017, this growth will slow to single-digit percentages, with shipments peaking at 386.3 million units.
Outsourcers will have opportunities to create new activities for compliance-concerned industries and deepen their social media activities with first adopters as channels evolve.
The storage industry has evolved at a rate of knots over the past couple of years, and there are no signs of it slowing down any time soon. Trends such as Big Data might be seen as massively overhyped, though they're beginning to find their way into the Middle Eastern market, and more tangible innovations such as the proliferation of flash storage are beginning to find acceptance. What will all this mean for CIOs in the coming year? CNME asks a panel of experts, and looks forward to the nine biggest storage trends of 2014.
Among the many expectations for IT in 2014, Ethernet is projected to broaden its penetration in the metro area and the WAN. The ubiquitous technology will become further entrenched as a broadband access, cloud interconnect and wide area medium, further distancing itself from legacy TDM services. Here are eight predictions for Ethernet in the New Year, from service provider Comcast Business Services:
The chip industry is in for major changes in the coming years, according to Broadcom Chairman and Chief Technical Officer Henry Samueli.
As times change, so does the role of IT. A generation ago, it had to embrace PCs and client/server solutions. Now IT departments are faced with the consumerization of technology. Could the same analytics that helps companies predict customer behavior help IT departments stay relevant?
Oracle has fully integrated the long-awaited Linux DTrace debugging tool into the latest release of its Linux distribution, potentially allowing administrators and developers to pinpoint the cause of thorny performance issues with more accuracy.
Telstra has achieved 300 Mbps speeds in a test on its 4G network by aggregating two channels of 20 MHz spectrum.
The U.S. Defense Department may have found a new way to scan millions of lines of software code for vulnerabilities, namely by turning the practice into a set of video games and puzzles and have volunteers do the work.
More powerful processors will allow smartphone vendors to turn their high-end models into gaming consoles, but slower growth will also force them to focus more on improving their less expensive products next year.
On any given day cybercriminals and nation states are in possession of as many as 100 zero-day software exploits known only to them, NSS Labs has calculated using the commercial vulnerability market as a baseline.