Google security researcher: Keep Sophos away from high value systems


Recommended Posts

Google security engineer Tavis Ormandy discovered several flaws in Sophos antivirus and says the product should be kept away from high value information systems unless the company can avoid easy mistakes and issue patches faster.

Ormandy has released a scathing 30-page analysis ?Sophail: Applied attacks against Sophos Antivirus?, in which he details several flaws ?caused by poor development practices and coding standards?, topped off by the company?s sluggishly response to the warning he had working exploits for those flaws.

One of the exploits Ormandy details is for a flaw in Sophos? on-access scanner, which could be used to unleash a worm on a network simply by targeting a company receiving an attack email via Outlook. Although the example he provided was on a Mac, the ?wormable, pre-authentication, zero-interaction, remote root? affected all platforms running Sophos.

Ormandy released the paper (PDF) as an independent security researcher and concludes: ?nstalling Sophos Antivirus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure.?

http://www.cso.com.a..._value_systems/

sophailv2.pdf

And, in fact, do a search if your favorite security suite has been cracked/activation-bypassed or otherwise defeated by warez release groups. And then keep away from it and demand your money back, if possible. It's useless. There aren't many left these days, but they do happen. If warez people could pwn it, somebody with more evil intentions can and will do it as well, and you just might happen to be in the middle of it.

I am a sophos partner and this concerns me greatly how they've declined. I will have a talk with them about this. I am pretty irritated at all these issues....

I am a sophos partner and this concerns me greatly how they've declined. I will have a talk with them about this. I am pretty irritated at all these issues....

remixedcat,

I would be very interested in hearing what they say to you on this. I couldn't see an official response on their site to this when I looked last night. I have their enterprise console out in a few places too.

remixedcat,

I would be very interested in hearing what they say to you on this. I couldn't see an official response on their site to this when I looked last night. I have their enterprise console out in a few places too.

I will be contacting them shortly...

sophos contacted.... awating response..

Thanks, I would hope that they will get independent verification of their assertion that these were fixed circa September and have some sort of statement prepared to show changes in their development process. If they do that I see no need to switch and compliment Google for giving them lead-time.

Edit: I just checked the main console and it seems that 10.2 doesn't automatically apply on rollout if you have your update manager configured to 10.x recommended. The Mac's have gone to 8.0.8.1 automatically though. So don't forget to check your update manager configs!

You're welcome... I got a response so far... will get a more detailed one later:

Hello Liz ,

Thank you for your email and taking the time to share with us the concerns you have.

Below is some information you may want to review .

Sophos has written about his findings on Naked Security http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/

We have forwarded your email to the proper Sophos Team . They will be

the best suited to address the questions and concerns you have.

They will be reviewing the email and questions to determine the best source of action and

provide you with the correct information .

Again, thank you for notifying us of the concerns you have so that we can ensure that they are addressed for you.

Let us know if you need any further assistance.

All the best .

Regards,

got another response from Sophos:

Thanks for reaching out with this.

We most definitely appreciate Mr. Ormandy?s work with Sophos.

We can only get better with independent work like his.

As a security company, keeping customers safe is our primary responsibility. As a result, we periodically receive third party reports about areas of our products and those of other software companies. We welcome this scrutiny and are committed to investigating all vulnerability reports and implementing the best course of action in the quickest time period.

You can find our fixes and rollouts for the flagged bugs here:

http://www.sophos.com/en-us/support/knowledgebase/118424.aspx

For the updater issues, please take a look at this article which explains the root causes and how we?ve updated our solutions and procedures to prevent this from occurring in the future.

http://www.sophos.com/en-us/support/knowledgebase/shh-root-cause-analysis.aspx

Although this is not a an excuse, false positive updates are a reality that have hit every single major security company out there including McAfee, Symantec, and Trend.

It is also important to note that no serious security company can claim that their software protects everything. Threats are always evolving and changing and it is up to us to change and grow with the times.

With respect to Mr. Ormandy, he has indicated that he has not reviewed any other security software with this examination. I suspect that if he were to review other solutions his results would be quite similar and in most cases much more revealing.

Let me know if you need any other help on this.

I?ll be glad to provide any further assistance.

Take care.

remixedcat,

Thanks for coming back with that, it is exactly what I wanted (expected) to hear.

I had Anti-Virus 10.0.9 / 8.0.8.1 out already and Anti-Virus 10.2.1 went out over night. The knowledge base links were quite useful.

Sure, I haven't been presented with any reason to approach management and say that there is a problem that looks like it will undermine the security of the network or of users.

Mistakes and bugs happen in software development; reactionist responses about flocking to a competitor in the face of them just aren't helpful or realistic when you have spent out for site licenses. If their response had been anything else (i.e. "we *may* fix it in SAV11 after you re-license next year [but then again we may not]") or any attempt to downplay or spin it was used then after a threat assessment my response may have been different. In all honesty I find SAV Enterprise Console to be pretty tidy, yes there are a few limitations that I have issue over, but it works - and I prefer it to the likes of F-Secure's equivalent.

Also the thought of having to do a mobile device recall and changing Mac's to another vendor really doesn't appeal on the greater scheme of good uses of one's time :rofl: .

It looks like about 1/3 of my endpoints have picked up 10.2.0 or higher as of right now; about normal for a version change at this point. As usual there is one on the 4th floor that is refusing to update... they only do it because I'm on the ground floor *sigh*

:rolleyes:

Agreed. I did like their responses as well. They were also very prompt with the replies and I profusely thank them for it.

This topic is now closed to further replies.
  • Posts

    • Google was using the old CATPCHAs data to train their LLMs. What is the say they won't use this camera data of users to train their LLM? these companies need some strict regulations!
    • Depends on what you need. Might be a bit clearer on what you plan to do with it. Sort of a waste if you get the newest and greatest, but don't know how to use it.
    • NTLite 2026.06.11200 by Razvan Serea NTLite is a Windows configuration tool that allows you to modify your existing Windows install or an image yet to be deployed, remove Windows components, configure and integrate, speed up the Windows deployment process. Reduce Windows footprint on your RAM and storage drive memory. Remove components of your choice, guarded by compatibility safety mechanisms, which speed up finding that sweet spot. Windows Unattended feature support, providing many commonly used options on a single page for easy setup. Easily integrate a single or multiple drivers, update or language packages. Package integration features smart sorting, enabling you to seamlessly add packages for integration and the tool will apply them in the appropriate order, keeping hotfix compatibility in check. One of the important new features of NTLite (compared to its predecessors) is the ability to modify an already installed the operating system, by removing unnecessary components. Supports Windows 11, 10, 8.1 and 7, x86 and x64, live and image. Server editions of the same versions, excluding support for component removals and feature configuration. ARM64 image support in the alpha stage. Does not support Checked/Debug, Embedded, IoT editions, nor Vista or XP. NTLite 2026.06.11200 changelog: New Secure Boot Migration support: Verification, certificate staging, and boot-manager/sector update across the Image, Updates, Apply, and Create-ISO pages (2023 CA migration, optional 2011 revocation, Anti-rollback, Boot sector choice etc) Secure Boot Host Readiness: Live host Secure Boot migration monitor and Servicing-task control Option under Image page - C:\Windows row, or load the host as the target - Updates - Secure Boot Image: 'Sort mounted images first' option for the image list in Menu-Settings UI: Hover description card for Components and Unattended pages, selectable text and quick access to Compatibility options Command line: Relay commands into the already-running instance Enables controlling already running NTLite via ntlite.exe Use /NewInstance to launch an additional instance using CLI operations (premium) UI: 'New instance' option via main menu instead of a secondary ntlite.exe prompt Apply: Hide individual Apply-page notes with a per-note dismiss (X), critical excluded Settings: 'Unsigned RDP file launch warnings' tweak (RDP client), bypassing the April 2026 security-update prompt on RDP connections Upgrade Image: Live OS and deployed image editing now unlocked on free/test licenses, same licensing as images Image: 'Recompress' option in manual dialog Remove Editions to shrink the WIM in one session Image: SWM part size set inline on the Apply page and image dialogs, split-size popup retired Image: Relative 'Last change' dates; editions grouped by build time to reduce noise Image: 'Forget - Missing' on the Edit-cache menu to mass drop entries whose folder is gone Components: Root groups reorganized - user-facing groups first, system/critical last Components: Show filter options to view components by Template or App-type, since Apps are now merged into groups Presets: Delete confirmation now lists the multi-selected preset names UI: Design update propagated to the rest of the tool UI: Filter and search match words in any order and partially, better results filtering Components Unattended: Input-locale language derives from the user locale, with an independent keyboard picker, enables combinations previously unavailable Unattended: Input-locale now allows for a user value override Unattended: Localization OOBE WinPE now can be copied with the new WinPE Copy OOBE localization toggle, enter locale settings once for both stages Updates: Downloader greys and locks updates the image already carries (hotfix and MSIX) Updates: Resume interrupted update downloads Command line: Many upgrades, see /?, now prints help to the console or redirected output UI-Translation: Finnish language added, also thanks for Chinese Traditional (Matt), French (tistou77), Italian (clarensio), Russian (RDS), Swedish (1FF), Vietnamese (Vu Anh Vu) Fix Components: Containers removal breaking Apps deployment Components: Microsoft Account had leftovers when Easy Migrate is kept Image: Export to an existing WIM improvements, Append renamed to Merge Image: Improved 26H1 live removal support Image: No more 'X:\ not accessible' popup for certain drives during image scan Presets: Manual image refresh picks up presets added/removed outside the app Tweaks: Disabled visual-effect animations no longer return after first logon on a new profile Tweaks: Live Visual Effects toggles (animations, drag full windows, font smoothing) now apply correctly Download: NTLite 2026.06.11200 | 20.5 MB (Free, paid upgrade available) Link: NTLite Home Page | NTLite Features | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Ah. La Fontana De Incontinentia ! Bella ! Bella !
    • Hi everyone, I'm planning a small network upgrade and was wondering how others prepare their networks for future needs. Do you usually invest in higher-speed switches and better cabling from the start, or do you upgrade only when necessary? I'd be interested in hearing what has worked well for you and any lessons you've learned over time. Thanks!
  • Recent Achievements

    • One Year In
      BA the Curmudgeon earned a badge
      One Year In
    • Conversation Starter
      rosiecharles earned a badge
      Conversation Starter
    • First Post
      KMilenkoski1202 earned a badge
      First Post
    • First Post
      carols23 earned a badge
      First Post
    • One Month Later
      Tom Willson earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      504
    2. 2
      +Edouard
      257
    3. 3
      PsYcHoKiLLa
      151
    4. 4
      Steven P.
      93
    5. 5
      macoman
      67
  • Tell a friend

    Love Neowin? Tell a friend!