Tavis Ormandy is dismayed at Sophos security but the company claims there is nothing to be worried about
A Google security researcher has highlighted various issues in Sophos security products, claiming they amounted to a “real global threat” due to the critical workloads the firm protects.
Sophos has claimed none of the threats highlighted by Ormandy are being abused by hackers, however.
Tavis Ormandy has been looking into the safety of Sophos products for over a year. In August 2011, he pointed out that Sophos uses old encryption algorithms in certain products, amongst other problems.
Yet antagonism between Ormandy and Sophos stretches back further, to June 2010, when the company’s senior technology consultant Graham Cluley (pictured) slammed Ormandy for revealing a zero-day vulnerability in Windows XP’s Help and Support Center. Cluley accused the Google engineer of “utterly irresponsible behaviour” for only giving Microsoft five days to issue a patch before going public.
Sophos vs. Ormandy
Today, Ormandy published more of his research into Sophos, claiming to have found “multiple memory corruption and product design flaws” and showed how attacks could work to exploit the products. He accused the firm of “poor development practices and coding standards”.
“Sophos lack good quality exploit mitigation, which makes the exploitation process relatively straightforward,” he wrote.
One flaw was resident in the way Sophos anti-virus dealt with PDF documents, which opened up a buffer overflow issue, potentially letting an attacker carry out a denial of service attack on the product.
He also claimed the Sophos Web Intelligence product had a universal XSS vulnerability, which disabled the Same Origin Policy in web browsers, allowing a malicious website to interact with users’ various accounts, including mail, intranet systems and banks.
The Same Origin Policy prevents scripts originating from different sites interacting with one another. This is particularly important in keeping cookies secure. An XSS attack takes cookies and then delivers them to the hackers’ website.
Outside of the various vulnerabilities, Ormandy even accused Sophos products of harming security protections in Windows, claiming the firm’s Buffer Overflow Protection System (BOPS) effectively disabled Address Space Layout Randomisation (ASLR) on all Microsoft Windows platforms that have Sophos installed. This could allow “attackers to develop reliable exploits for what might otherwise have been safe systems”.
ASLR strengthens system security by randomising the memory layout of an executing program, decreasing the probability of exploiting a known memory manipulation vulnerability. “It is simply inexcusable to disable ASLR systemwide like this, especially in order to sell a naive alternative to customers that is functionally poorer than that provided by Microsoft,” Ormandy said.
The Google researcher, who agreed not to publish his findings for two months, was not happy with Sophos’ response to his findings either, claiming the weaknesses in the various products could have major ramifications.
“The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient.”
Sophos the peacemaker
But Sophos has responded to these extraordinary claims. It said none of the flaws highlighted by Ormandy had been seen in the wild and noted there were fixes for some of the issues, including the XSS vulnerability and the PDF problem.
A number of those fixes have been addressed today. Sophos, on its Naked Security blog, said Ormandy had also provided examples of “other malformed files which can cause the Sophos anti-virus engine to halt”. “These are being examined by Sophos experts and rollout of fixes to Sophos customers will begin on November 28th 2012,” the firm added.
Sophos even said it “appreciates Tavis Ormandy’s efforts and responsible approach”. It had not offered a response to Ormandy’s coding criticisms at the time of publication.
Are you a security pro? Try our quiz!