Google Security Engineer Issues Sophos Warning 89
angry tapir writes "Google security engineer Tavis Ormandy discovered several flaws in Sophos antivirus and says the product should be kept away from high value information systems unless the company can avoid easy mistakes and issue patches faster. Ormandy has released a scathing 30-page analysis (PDF) 'Sophail: Applied attacks against Sophos Antivirus,' in which he details several flaws 'caused by poor development practices and coding standards,' topped off by the company's sluggishly response to the warning he had working exploits for those flaws. One of the exploits Ormandy details is for a flaw in Sophos' on-access scanner, which could be used to unleash a worm on a network simply by targeting a company receiving an attack email via Outlook. Although the example he provided was on a Mac, the 'wormable, pre-authentication, zero-interaction, remote root' affected all platforms running Sophos. (Ormandy released the paper as an independent researcher, not in his role as a Google employee.)"
Can someone explain (Score:4, Insightful)
Re:Released.... in August! (Score:5, Insightful)
Oh yeah, I asked the guy after his talk if he was going to research any other AV products - his response was that no he wasn't. I wish he would or that perhaps someone else would. I'm pretty sure Sophos isn't the high bar in AV but I'm betting that there may be some others with some pretty crappy behavior out there that haven't been highlighted. Why not give them a shot too? Wasn't clear why these guys were such a target although he did mention their being used in various hardware products as an AV engine as part of the reason .
Re:Official Sophos Response. (Score:5, Insightful)
What's worse?
1. That a security company had so many serious flaws in a flagship product
2. That the same security company considers it OK to take (on average) over 40 days to fix the issues. Remember that this is an Anti-virus product. One of the main use cases is to respond quickly to flaws in other software, to cover the period between the flaw becoming known, and the vendor releasing a fix.
3. That most clients won't see a problem with 2.
Re:Official Sophos Response. (Score:2, Insightful)
1. Well now it has that many fewer flaws. Yeah, it seems like a lot, but I'm not convinced Sophos has significantly more flaws than any other software. The previous AV product we used (McAfee) was buggy as hell, all the time. How many patches has Windows or Linux, or any other AV product or frankly any other significant piece of non-trivial software product on the market received? I'm confident the answer is 'more than 8' in all cases.
2. 40 days for a vulnerability which has not been disclosed publicly and is not being exploited in the wild isn't the worse thing in the world. It's not great, but it could be a McAfee product, and your computer could just freeze up periodically for minutes at a time when it updates.
3. The company I work for uses Sophos. Sure, I'd like to see the problems fixed sooner. Were the circumstances different (publicly release vulnerability and/or actively exploited) no doubt it would have been patched sooner, but the patch would have been less thoroughly tested. I'm happy with this response.