May 26, 2017

Multiple critical vulnerabilities found and almost fixed in Sophos Antivirus

(LiveHacking.Com) – Tavis Ormandy has published a paper, called “Sophail: Applied attacks against Sophos Antivirus” which describes realistic attacks against Sophos Antivirus. Buried not too deep in the analysis is a working pre-authentication remote root exploit that does not require any user interaction. Tavis expects that this exploit could be wormed within the next few days.

As a result of the disclosure, Sophos has published a response outlining a schedule for fixing the vulnerabilities  Many of the holes have been patched already in updates published by Sophos on October 22. Further patches were released yesterday and on 28 November 2012 Sophos plans to release patches for bugs found by Tavis which cause the anti-virus engine to halt when parsing certain malformed files.

In each case Sophos are keen to point out that there is no evidence of these vulnerabilities being exploited in the wild.

Ormandy’s publication is his second paper in a series on Sophos internals. It puts into practice the results previously found in the first paper. It is intended for a technical audience and describes the process a sophisticated attacker would take when targeting Sophos users.

“By design, antivirus products introduce a vast attack surface to a hostile environment. The vendors of these  products have a responsibility to uphold the highest secure development standards possible to minimize the potential for harm caused by their software”, wrote Tavis in his paper.

Tavis did follow a responsible disclosure practice with these vulnerabilities. He informed Sophos in September about the problems and the anti-virus heavy weight requested two months to look into the bugs. However as he points out, “Sophos did allocate some resources to resolve the issues discussed, however they were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher. A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease.”

There will be a third paper in the series which Tavis is working on now. It will be announced at a future date.