Sophos' WS1000 web appliance not only fails to include batch files in its download file type block list, but said it would only include the ability to block them as a feature.
WS1000 is an enterprise-targeted secure appliance and intends to protect "every user, on every device, everywhere they go" by prohibiting particular end-user actions, such as downloading dangerous file types.
Unfortunately, during a recent penetration test, Simon Vaughan of SafeHackUK noticed that a client using the WS1000 appliance was able to download .bat files, an old Windows file extension but one which is still widely used, according to Vaughan.
The extension .bat denotes a script which contains a list of commands that is executed by the command line interpreter when run.
An executable file type, which could trivially be malicious and which Sophos' web appliance intends to protect users from downloading – and yet .bat files are not included in the company's download file type list.
Upon informing the company of this vulnerability, Vaughan received the following response, which The Register reproduces verbatim:
Upon further checking, .bat file is not included in the download file type list. For that concern, you can request that feature to http://feature.astaro.com/forums/143211-sophos-web-security. Sophos will evaluate it and will update you if it will be approved. Let me know if you have further concerns or if can now close our case. Thank you.
As the company has decided to pursue the feature route with the patch, Vaughan has submitted it to Sophos' features forum, where non-members may vote for the "urgent security fix".
Talking to The Register, Vaughan said: "I think they misunderstood what I was raising with them, is the nicest way I could put it, this is a security hole, it's the same as blocking .exe files."
The Register brought the issue to Sophos' attention and was told by a company rep:
“Sophos Web Appliance can protect customers against threats contained in .bat files, as these files are routinely scanned by SWA. It is correct that the SWA does not currently offer the ability for admins to set a policy to block .bat files. This is a feature we will add as a result of this report".
"We would like to reassure Sophos Web Appliance customers that the absence of the ability to block .bat files does not represent a software vulnerability in the SWA code but it is an ability we will add to improve the filtering policy options for our customers." ®