Google security researcher: Keep Sophos away from high value systems

[+BudMan MVC]

Google security engineer Tavis Ormandy discovered several flaws in Sophos antivirus and says the product should be kept away from high value information systems unless the company can avoid easy mistakes and issue patches faster.

Ormandy has released a scathing 30-page analysis ?Sophail: Applied attacks against Sophos Antivirus?, in which he details several flaws ?caused by poor development practices and coding standards?, topped off by the company?s sluggishly response to the warning he had working exploits for those flaws.

One of the exploits Ormandy details is for a flaw in Sophos? on-access scanner, which could be used to unleash a worm on a network simply by targeting a company receiving an attack email via Outlook. Although the example he provided was on a Mac, the ?wormable, pre-authentication, zero-interaction, remote root? affected all platforms running Sophos.

Ormandy released the paper (PDF) as an independent security researcher and concludes: ?nstalling Sophos Antivirus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure.?

http://www.cso.com.a..._value_systems/

sophailv2.pdf

[_neutrino Veteran]

we are currently doing a rollout of Sophos Endpoint Security across all of our system where I work.

[Asrokhel]

we are currently doing a rollout of Sophos Endpoint Security across all of our system where I work.

Maybe you should reconsider that.

[thealexweb]

The number of false positives I've seen from Sophos is the worst I've ever seen from an anti-virus :(

[Yusuf M. Veteran]

Cleaned

[Phouchg]

And, in fact, do a search if your favorite security suite has been cracked/activation-bypassed or otherwise defeated by warez release groups. And then keep away from it and demand your money back, if possible. It's useless. There aren't many left these days, but they do happen. If warez people could pwn it, somebody with more evil intentions can and will do it as well, and you just might happen to be in the middle of it.

[remixedcat]

I am a sophos partner and this concerns me greatly how they've declined. I will have a talk with them about this. I am pretty irritated at all these issues....

[Growled Member]

I've never used sophos and now I'm glad that I didn't.

[C:Amie]

I am a sophos partner and this concerns me greatly how they've declined. I will have a talk with them about this. I am pretty irritated at all these issues....

remixedcat,

I would be very interested in hearing what they say to you on this. I couldn't see an official response on their site to this when I looked last night. I have their enterprise console out in a few places too.

[remixedcat]

remixedcat,

I would be very interested in hearing what they say to you on this. I couldn't see an official response on their site to this when I looked last night. I have their enterprise console out in a few places too.

I will be contacting them shortly...

[madmrcopper]

The report on The Register is worth a read on this subject http://www.theregister.co.uk/2012/11/06/sophos_multiple_vulns/

[remixedcat]

sophos contacted.... awating response..

[C:Amie]

sophos contacted.... awating response..

Thanks, I would hope that they will get independent verification of their assertion that these were fixed circa September and have some sort of statement prepared to show changes in their development process. If they do that I see no need to switch and compliment Google for giving them lead-time.

Edit: I just checked the main console and it seems that 10.2 doesn't automatically apply on rollout if you have your update manager configured to 10.x recommended. The Mac's have gone to 8.0.8.1 automatically though. So don't forget to check your update manager configs!

[remixedcat]

You're welcome... I got a response so far... will get a more detailed one later:

Hello Liz ,

Thank you for your email and taking the time to share with us the concerns you have.

Below is some information you may want to review .

Sophos has written about his findings on Naked Security http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/

We have forwarded your email to the proper Sophos Team . They will be

the best suited to address the questions and concerns you have.

They will be reviewing the email and questions to determine the best source of action and

provide you with the correct information .

Again, thank you for notifying us of the concerns you have so that we can ensure that they are addressed for you.

Let us know if you need any further assistance.

All the best .

Regards,

[remixedcat]

got another response from Sophos:

Thanks for reaching out with this.

We most definitely appreciate Mr. Ormandy?s work with Sophos.

We can only get better with independent work like his.

As a security company, keeping customers safe is our primary responsibility. As a result, we periodically receive third party reports about areas of our products and those of other software companies. We welcome this scrutiny and are committed to investigating all vulnerability reports and implementing the best course of action in the quickest time period.

You can find our fixes and rollouts for the flagged bugs here:

http://www.sophos.com/en-us/support/knowledgebase/118424.aspx

For the updater issues, please take a look at this article which explains the root causes and how we?ve updated our solutions and procedures to prevent this from occurring in the future.

http://www.sophos.com/en-us/support/knowledgebase/shh-root-cause-analysis.aspx

Although this is not a an excuse, false positive updates are a reality that have hit every single major security company out there including McAfee, Symantec, and Trend.

It is also important to note that no serious security company can claim that their software protects everything. Threats are always evolving and changing and it is up to us to change and grow with the times.

With respect to Mr. Ormandy, he has indicated that he has not reviewed any other security software with this examination. I suspect that if he were to review other solutions his results would be quite similar and in most cases much more revealing.

Let me know if you need any other help on this.

I?ll be glad to provide any further assistance.

Take care.

[C:Amie]

remixedcat,

Thanks for coming back with that, it is exactly what I wanted (expected) to hear.

I had Anti-Virus 10.0.9 / 8.0.8.1 out already and Anti-Virus 10.2.1 went out over night. The knowledge base links were quite useful.

[remixedcat]

You're most welcome ;) are you still gonna use Sophos?

[C:Amie]

Sure, I haven't been presented with any reason to approach management and say that there is a problem that looks like it will undermine the security of the network or of users.

Mistakes and bugs happen in software development; reactionist responses about flocking to a competitor in the face of them just aren't helpful or realistic when you have spent out for site licenses. If their response had been anything else (i.e. "we *may* fix it in SAV11 after you re-license next year [but then again we may not]") or any attempt to downplay or spin it was used then after a threat assessment my response may have been different. In all honesty I find SAV Enterprise Console to be pretty tidy, yes there are a few limitations that I have issue over, but it works - and I prefer it to the likes of F-Secure's equivalent.

Also the thought of having to do a mobile device recall and changing Mac's to another vendor really doesn't appeal on the greater scheme of good uses of one's time :rofl: .

It looks like about 1/3 of my endpoints have picked up 10.2.0 or higher as of right now; about normal for a version change at this point. As usual there is one on the 4th floor that is refusing to update... they only do it because I'm on the ground floor *sigh*

:rolleyes:

[remixedcat]

Agreed. I did like their responses as well. They were also very prompt with the replies and I profusely thank them for it.