ID: IRCNE2012111674
Date: 2012-11-10
According to "techworld", security researcher Tavis Ormandy discovered critical vulnerabilities in the antivirus product developed by UK-based security firm Sophos and advised organisations to avoid using the product on critical systems unless the vendor improves its product development, quality assurance and security response practices.
Ormandy, who works as an information security engineer at Google, disclosed details about the vulnerabilities he found in a research paper entitled "Sophail: Applied attacks against Sophos Antivirus" that was published on Monday. Ormandy noted that the research was performed in his spare time and that the views expressed in the paper are his own and not those of his employer.
The paper contains details about several vulnerabilities in the Sophos antivirus code responsible for parsing Visual Basic 6, PDF, CAB and RAR files. Some of these flaws can be attacked remotely and can result in the execution of arbitrary code on the system.
Ormandy even included a proof-of-concept exploit for the PDF parsing vulnerability which he claims requires no user interaction, no authentication and can be easily transformed into a self-spreading worm.
The researcher built the exploit for the Mac version of Sophos antivirus, but noted that the vulnerability also affects Windows and Linux versions of the product and the exploit can easily be translated to those platforms.
The PDF parsing vulnerability can be exploited by simply receiving an email in Outlook or Mail.app, Ormandy said in the paper. Because Sophos antivirus automatically intercepts input and output (I/O) operations, opening or reading the email is not even necessary.
Ormandy's paper contains a section that describes best practices and includes the researcher's recommendations for Sophos customers, like implementing contingency plans that would allow them to disable Sophos antivirus installations on short notice.
- 2