A security researcher has discovered embarrassing and critical vulnerabilities in Sophos' enterprise protection software.
Tavis Ormandy, an information security engineer at Google, published a paper along with example attack code to highlight flaws present in Windows, Linux and Mac OS X builds of Sophos' antivirus product.
The holes can be reliably and easily exploited by hackers to compromise the computers the software is supposed to defend. Specifically, the antivirus scanner fails to safely examine encrypted PDFs and VisualBasic files, which could arrive in an email or website download; these documents can be crafted to trigger flaws within the software and gain control of the system.
In response, Sophos confirmed today that most of the eight vulnerabilities documented by Ormandy were patched a month after the security researcher reported the bugs in September. The company is adamant the flaws have not been exploited in the wild.
Nonetheless Ormandy - who said his work has nothing to do with his employer - argued in a post to the Full Disclosure mailing list on Monday that the risk is high.
"My paper includes a working pre-authentication remote root exploit that requires zero-interaction, and could be wormed within the next few days," he writes. "I would suggest administrators deploying Sophos products study my results urgently, and implement the recommendations."
Ormandy's dossier [PDF] also includes advice on best practices for Sophos users and is "intended to help administrators of high-value networks minimise the potential damage to their assets caused by Sophos". Even the name of the paper "sophailv2" alludes to failure.
His suggestion that IT bosses "exclude Sophos products from consideration for high-value networks and assets" is unlikely to find much favour at Sophos HQ.
Ormandy is also critical of the overall quality of programming and quality assurance testing by Sophos as well as the company's insistence that the exploitation of the holes is unlikely.
"A working exploit for Sophos 8.0.6 on Mac is available, however the techniques used in the exploit easily transfer to Windows and Linux due to multiple critical implementation flaws described in the paper. Test cases for the other flaws described in the paper are available on request," he wrote.
Ormandy reported the vulnerabilities to Sophos on 10 September. Five of the flaws were mitigated in a new version rolled out to users on 22 October. A further two security bugs were quashed on 5 November. The security firm promises a fix for a further bug, which causes its software to crash, by the end of the month.
As well as the PDF and Visual Basic blunders, vulnerabilities were found in the antivirus engine's handling of malformed CAB and RAR files, which corrupted the computer system's memory if triggered - another headache for sysadmins. The software also needlessly knackered the Windows operating system's ASLR defence mechanism against malicious code, and was vulnerable to cross-site scripting attacks. These flaws have been patched.
A demonstration of the Sophos Anti-Virus Sophail PDF Vulnerability, the worst of the vulnerabilities uncovered by Ormandy, can be found here as a Metasploit payload.
Best of enemies
There's a history between Sophos and Ormandy, which goes some way to explain the somewhat aggressive tone of their latest exchanges.
The Google engineer delivered a presentation on what he argued were shortcomings in Sophos software at Black Hat USA in August 2011. Prior to this writers on the Sophos Naked Security blog repeatedly criticised Ormandy over the allegedly "irresponsible disclosure" of a zero-day vulnerability in Windows Help and Support Center that affected Windows XP machines in June 2010.
Days later Sophos published an article provocatively titled Tavis Ormandy - are you pleased with yourself? Website exploits Microsoft zero-day. The revealed flaw was subsequently used by miscreants to infect more than 10,000 PCs in less than one month, according to Sophos.
El Reg counted five articles and a podcast openly critical of Ormandy on the Naked Security blog, not including the two posts on the vulnerabilities he's discovered in Sophos software, which are a bit passive aggressive but overall neutral in tone, if you discount the anger over the Windows flaw uncovered two years ago.
By comparison the crooks behind Operation Ghost Click, a massive online crime wave uncovered last year, are mentioned only twice, although in fairness the DNS Changer malware the crims peddled has been frequently covered by Sophos.
Love Bug worm author Onel de Guzman gets only three mentions. That's not to say Sophos blog writers hold Ormandy in lower regard than de Guzman, but it does suggest they may have gone a bit over the top with their criticism of Ormandy two years ago - something that may have encouraged subsequent probing of the UK-based software company's products.
Graham Cluley, a senior technology consultant at Sophos, welcomed Ormandy's efforts.
"Sophos products are better than they were three months ago and Tavis's research has helped," Cluley told El Reg. "He told us about vulnerabilities we didn't know about before, which we've successfully been able to patch."
Every security system vendor suffers from vulnerabilities from time to time, and it's far better that the flaws are reported by researchers such as Ormandy and fixed before they are exploited by hackers, Cluley added. ®