Google Researcher: Sophos Flaws Present ‘A Real Global Threat’

A Google security researcher has highlighted various issues in Sophos security products, claiming they amounted to a “real global threat” due to the critical workloads the firm protects.

Sophos has claimed none of the threats highlighted by Ormandy are being abused by hackers, however.

Tavis Ormandy has been looking into the safety of Sophos products for over a year. In August 2011, he pointed out that Sophos uses old encryption algorithms in certain products, amongst other problems.

Yet antagonism between Ormandy and Sophos stretches back further, to June 2010, when the company’s senior technology consultant Graham Cluley (pictured) slammed Ormandy for revealing a zero-day vulnerability in Windows XP’s Help and Support Center. Cluley accused the Google engineer of “utterly irresponsible behaviour” for only giving Microsoft five days to issue a patch before going public.

Sophos vs. Ormandy

Today, Ormandy published more of his research into Sophos, claiming to have found “multiple memory corruption and product design flaws” and showed how attacks could work to exploit the products. He accused the firm of “poor development practices and coding standards”.

“Sophos lack good quality exploit mitigation, which makes the exploitation process relatively straightforward,” he wrote.

One flaw was resident in the way Sophos anti-virus dealt with PDF documents, which opened up a buffer overflow issue, potentially letting an attacker carry out a denial of service attack on the product.

He also claimed the Sophos Web Intelligence product had a universal XSS vulnerability, which disabled the Same Origin Policy in web browsers, allowing a malicious website to interact with users’ various accounts, including mail, intranet systems and banks.

The Same Origin Policy prevents scripts originating from different sites interacting with one another. This is particularly important in keeping cookies secure. An XSS attack takes cookies and then delivers them to the hackers’ website.

Outside of the various vulnerabilities, Ormandy even accused Sophos products of harming security protections in Windows, claiming the firm’s Buffer Overflow Protection System (BOPS) effectively disabled Address Space Layout Randomisation (ASLR) on all Microsoft Windows platforms that have Sophos installed. This could allow “attackers to  develop reliable exploits for what might otherwise have been safe systems”.

ASLR strengthens system security by randomising the memory layout of an executing program, decreasing the probability of exploiting a known memory manipulation vulnerability. “It is simply inexcusable to disable ASLR systemwide like this, especially in order to sell a naive alternative to customers that is functionally poorer than that provided by Microsoft,” Ormandy said.

The Google researcher, who agreed not to publish his findings for two months, was not happy with Sophos’ response to his findings either, claiming the weaknesses in the various products could have major ramifications.

“A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease,” he added.

“The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient.”

Sophos the peacemaker

But Sophos has responded to these extraordinary claims. It said none of the flaws highlighted by Ormandy had been seen in the wild and noted there were fixes for some of the issues, including the XSS vulnerability and the PDF problem.

A number of those fixes have been addressed today. Sophos, on its Naked Security blog, said Ormandy had also provided examples of “other malformed files which can cause the Sophos anti-virus engine to halt”. “These are being examined by Sophos experts and rollout of fixes to Sophos customers will begin on November 28th 2012,” the firm added.

Sophos even said it “appreciates Tavis Ormandy’s efforts and responsible approach”. It had not offered a response to Ormandy’s coding criticisms at the time of publication.

Are you a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

24 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago