Researcher Finds Critical Vulnerabilities in Sophos Antivirus ProductAdded 7th Nov 2012
Security researcher Tavis Ormandy discovered critical vulnerabilities in the antivirus product developed by U.K.-based security firm Sophos and advised organizations to avoid using the product on critical systems unless the vendor improves its product development, quality assurance and security response practices.
Ormandy, who works as an information security engineer at Google, disclosed details about the vulnerabilities he found in a research paper entitled "Sophail: Applied attacks against Sophos Antivirus" that was published on Monday. Ormandy noted that the research was performed in his spare time and that the views expressed in the paper are his own and not those of his employer.
The paper contains details about several vulnerabilities in the Sophos antivirus code responsible for parsing Visual Basic 6, PDF, CAB and RAR files. Some of these flaws can be attacked remotely and can result in the execution of arbitrary code on the system.
Ormandy even included a proof-of-concept exploit for the PDF parsing vulnerability which he claims requires no user interaction, no authentication and can be easily transformed into a self-spreading worm.
The researcher built the exploit for the Mac version of Sophos antivirus, but noted that the vulnerability also affects Windows and Linux versions of the product and the exploit can easily be translated to those platforms.
The PDF parsing vulnerability can be exploited by simply receiving an email in Outlook or Mail.app, Ormandy said in the paper. Because Sophos antivirus automatically intercepts input and output (I/O) operations, opening or reading the email is not even necessary.
"The most realistic attack scenario for a global network worm is self-propagation via email," Ormandy said. "No users are required to interact with the email, as the vulnerability will be automatically exploited."
However, other attack methods are also possible -- for example, by opening any file of any type provided by an attacker; visiting a URL (even in a sandboxed browser), or embedding images using MIME cid: URLs into an email that is opened in a webmail client,the researcher said. "Any method an attacker can use to cause I/O is enough to exploit this vulnerability."
Ormandy also found that a component called the "Buffer Overflow Protection System" (BOPS) that's bundled with Sophos antivirus, disables the ASLR (address space layout randomization) exploit mitigation feature on all Windows versions that support it by default, including Vista and later.
"It is simply inexcusable to disable ASLR systemwide like this, especially in order to sell a naive alternative to customers that is functionally poorer than that provided by Microsoft," Ormandy said.
A website blacklisting component for Internet Explorer installed by Sophos antivirus cancels the protection offered by the browser's Protected Mode feature, the researcher said. In addition, the template used to display warnings by the blacklisting component introduces a universal cross-site scripting vulnerability that defeats the browser's Same Origin Policy.
The Same Origin Policy is "one of the fundamental security mechanisms that makes the internet safe to use," Ormandy said. "With the Same Origin Policy defeated, a malicious website can interact with your Mail, Intranet Systems, Registrar, Banks and Payroll systems, and so on."
Ormandy's comments throughout the paper suggest that many of these vulnerabilities should have been caught during the product development and quality assurance processes.
The researcher shared his findings with Sophos in advance and the company released security fixes for the vulnerabilities disclosed in the paper. Some of the fixes were rolled out on Oct. 22, while the others were released on Nov. 5, the company said Monday in a blog post.
There are still some potentially exploitable issues discovered by Ormandy through fuzzing -- a security testing method -- that were shared with Sophos, but weren't publicly disclosed. Those issues are being examined and fixes for them will start to be rolled out on Nov. 28, the company said.
"As a security company, keeping customers safe is Sophos's primary responsibility," Sophos said. "As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible."
"It's good that Sophos has been able to deliver the suite of fixes within weeks, and without disrupting customers' usual operations," Graham Cluley, a senior technology consultant at Sophos, said Tuesday via email. "We are grateful that Tavis Ormandy found the vulnerabilities, as this has helped make Sophos's products better."
However, Ormandy wasn't satisfied with the time it took Sophos to patch the critical vulnerabilities he reported. The issues were reported to the company on September 10, he said.
"In response to early access to this report, Sophos did allocate some resources to resolve the issues discussed, however they were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher," Ormandy said. "A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease."
"Sophos claim their products are deployed throughout healthcare, government, finance and even the military," the researcher said. "The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient."
Ormandy's paper contains a section that describes best practices and includes the researcher's recommendations for Sophos customers, like implementing contingency plans that would allow them to disable Sophos antivirus installations on short notice.
"Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit," he said. "Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency plans to handle this scenario if you choose to continue deploying Sophos."
According to CIO research, more CXOs and LoBs are directly sourcing IT from vendors, despite the fact that IT leaders are trying to work more closely with them.
Padmaja Alaganandan, Executive Director-Consulting, PwC Consulting, says the way Indian companies look at their workforce will change: The middle and lower rungs will be hired on a project- or part-time basis.
The annual cost of cybercrime is either staggering, or a mere blip on the world's economic bottom line, depending on how you look at it.
The idea of devops is to better streamline the work of developers and operation professionals.
Wireless broadband subscriptions now outnumber people in seven countries as consumers continue to snap up smartphones and tablets, according to a new report.
Former Microsoft CEO Steve Ballmer's 'devices and services' strategy may be in tatters, discarded by his successor, Satya Nadella, but Ballmer must be smiling all the way to the bank.
In today's increasingly converged world, there's a tendency to pit CIOs and CMOs against one another as if they're standing in opposing corners of the ring.
'Gyges' malware shows ominous mixing of forms.
Banks across Europe are now coping with a wave of cybercrime in which crooks are transferring funds out of customer accounts through a scam involving bypassing some two-factor authentication systems to steal large sums, according to a security firm assisting in the investigation.
Packer and OpenNebula are the latest open source technologies to find a home on the Microsoft Azure cloud service.
Let us do the heavy lifting when it comes to delivering consumer data, Oracle says.
After much preparation, the attackers launched very specially tailored spear phishing email attacks.
Today's businesses can't run without computers, but not every user needs a high-end tablet, laptop or tower.
Sells Junos Pulse to private equity firm for $250 million.
Apple has racked up another hugely profitable quarter on sales of iPhones and Macintosh computers, though its revenue growth was slower than expected.