Google Security Engineer Issues Sophos Warning 89
angry tapir writes "Google security engineer Tavis Ormandy discovered several flaws in Sophos antivirus and says the product should be kept away from high value information systems unless the company can avoid easy mistakes and issue patches faster. Ormandy has released a scathing 30-page analysis (PDF) 'Sophail: Applied attacks against Sophos Antivirus,' in which he details several flaws 'caused by poor development practices and coding standards,' topped off by the company's sluggishly response to the warning he had working exploits for those flaws. One of the exploits Ormandy details is for a flaw in Sophos' on-access scanner, which could be used to unleash a worm on a network simply by targeting a company receiving an attack email via Outlook. Although the example he provided was on a Mac, the 'wormable, pre-authentication, zero-interaction, remote root' affected all platforms running Sophos. (Ormandy released the paper as an independent researcher, not in his role as a Google employee.)"
Re:Can someone explain (Score:2, Informative)
Because large organisations don't have users installing unmanaged anti-virus software on company owned endpoints.
Sophos (at least in my country) barely rates a mention in the consumer/home user anti-virus market, but they are massive in the enterprise market.
Released.... in August! (Score:5, Informative)
This was the subject of a talk given at Black Hat (or was it DEFCON?) in August out in 'Vegas. Why it's news now suddenly is a mystery to me. The guy did thoroughly hack the product to include reversing it's signature encryption (homebrew crypto?!) and figuring out that some features simply didn't work. However at the time of the talk he also told the audience that he had been working with the company and that they had changed some things and would be switching to standard crypto. I'd still agree the company comes across as slimy since some of their claims were pure crap (some signatures apparently obviously machine generated despite claims they didn't do that etc.) but now months later to post this like it's news? Really? Maybe he should have had this paper ready to roll right after the talk?
http://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Ormandy [blackhat.com]
Re:Can someone explain (Score:4, Informative)
Why a user would not simply install MS Security Essentials and be done with it?
Among other considerations(like central management), I'm pretty sure that the MSSE license frowns on use in anything larger than a home/home office type environment.
Re:Can someone explain (Score:5, Informative)
Official Sophos Response. (Score:5, Informative)
From http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/ [sophos.com] and reprinted here in case of slashdotting...
As a security company, keeping customers safe is Sophos's primary responsibility. As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible.
Recently, researcher Tavis Ormandy contacted Sophos about an examination he had done of Sophos's anti-virus product, identifying a number of issues:
A remote code execution vulnerability was discovered in how the Sophos anti-virus engine scans malformed Visual Basic 6 compiled files. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 10 September 2012
Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)
The Sophos web protection and web control Layered Service Provider (LSP) block page was found to include a XSS flaw. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 10 September 2012
Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)
An issue was identified with the BOPS technology in Sophos Anti-Virus for Windows and how it interacted with ASLR on Windows Vista and later. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 10 September 2012
Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)
An issue was identified in how Sophos protection interacts with Internet Explorer's Protected Mode. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 10 September 2012
Roll-out of a fix for Sophos customers cbegan: 5 November 2012 (56 days later)
Vulnerabilities were found in how Sophos's anti-virus engine handles malformed CAB files. These vulnerabilities could cause the Sophos engine to corrupt memory. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 10 September 2012
Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)
Vulnerabilities were found in how Sophos's anti-virus engine handles malformed RAR files. These vulnerabilities could cause the Sophos engine to corrupt memory. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 10 September 2012
Roll-out of a fix for Sophos customers began: 5 November 2012 (56 days later)
A remote code execution vulnerability was discovered in how the Sophos anti-virus engine scans malformed PDF files. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 5 October 2012
Roll-out of a fix for Sophos customers began: 5 November 2012 (31 days later)
Tavis Ormandy has provided examples of other malformed files which can cause the Sophos anti-virus engine to halt - these are being examined by Sophos experts. Sophos has seen no evidence of this occurring in the wild.
First reported to Sophos: 4 October 2012
Roll-out of a fix for Sophos customers will begin: 28 November 2012 (55 days later)
Best practice
Sophos customers are reminded of the following best practices:
1. Keep systems patched and up to date
2. Upgrade to the latest version of Sophos software to get the best protection
Responsible disclosure
Sophos believes in responsible disclosure.
The work of Tavis Ormandy, and others like him in the research community, who choose to work alongside security companies, can significantly strengthen software products. On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach.
Re:Can someone explain (Score:2, Informative)
Then again, Dave Kennedy recently recommended MSE at a security conference I went to. Says it's much better than most of the other AVs he tested by far. It might be a desktop oriented product, but it does the job.
Re:Can someone explain (Score:5, Informative)
Security essentials is packaged for businesses as Forefront, and can be managed centrally.
Being "massive in the enterprise market" doesnt mean youre good at it.
Re:Can someone explain (Score:5, Informative)
Bingo. I work at a large fortune 10 company with a few hundred thousand employees and it seems like a monthly occurrence where Sophos actively gets in the way. If it's not flagging benign content, it's causing resource problems on end-user systems. To call their support sluggish would be doing it a kindness. I believe we're actively looking for a replacement.
Re:Can someone explain (Score:5, Informative)
Security essentials is packaged for businesses as Forefront
You're so last month! We're calling it System Center Endpoint Protection [microsoft.com] now, because it rolls off the tongue more naturally.
Re:Can someone explain (Score:4, Informative)
I generally still believe that most normal Windows users are better off with some AV software, but nowadays when they still get infected and I still have to fix their frigging machines for them, it starts making me wonder whether they really are better off - the malware people do have access to the AV software so they can tweak their malware till it passes all of them.
Even though I don't use AV software, I won't get badly affected by most drive-bys since my browser does not run as the same user account as the account I use to log in to windows. The drive-by might set up the autorun and start up hooks, but they only apply to the browser account, which I don't use to log in. That browser has noscript and adblock too. I also use different browsers for banking (so pwning my Slashdot browser won't get you my bank stuff).
And I know how to upload stuff to virustotal to check before running it. So if the 30+ different AV software can't spot the virus, the virus would not be detected either if I installed AV software on my computer. The difference is the installed AV software would be using up my system resources every day, whereas I only need to do that check once in a long while. And the AV stuff is often exploitable[1] and they also have a habit of marking important stuff (or almost everything) as malware every few years.
If you pwn my video driver or do other stuff (zero day OS privilege escalation) then sure you can pwn me, but I bet the AV crap won't stop you either.
[1] Sophos, Symantec, McAfee, etc if you can crash them, they are likely to be exploitable, and their crappy software runs with higher privileges than my browsers.