Vulnerabilities / Threats
01:04 PM

Sophos AV Teardown Reveals Critical Vulnerabilities

Antivirus vendor says it's patched all software flaws disclosed by researcher, some of which could be used to remotely control Windows, Mac, or Linux system.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Sophos has patched seven vulnerabilities in its antivirus software, including bugs that could be used by an attacker to take control of a Windows, Mac, or Linux system.

By exploiting the vulnerabilities, an attacker may be able to gain control of the system, escalate privileges, or cause a denial-of-service condition, according to a related security bulletin released the U.S. Computer Emergency Readiness Team (US-CERT).

The vulnerabilities were identified by Tavis Ormandy, a security researcher at Google, after he reverse-engineered the Sophos antivirus application in his spare time. "By design, antivirus products introduce a vast attack surface to a hostile environment. The vendors of these products have a responsibility to uphold the highest secure development standards possible to minimize the potential for harm caused by their software," said Ormandy in a related research paper, "Sophail: Applied attacks against Sophos Antivirus."

[ Tempted to strike back by hacking a hacker? Read this first: 9 Facts: Play Offense Against Security Breaches. ]

Ormandy said the paper focuses on "the process a sophisticated attacker would take when targeting Sophos users," noting that it applies to all platforms that Sophos supports, including Windows, Mac, Linux and their SAVI SDK product. SAVI SDK refers to the software development toolkit that Sophos OEM partners can use to integrate its antivirus application into other security software.

Graham Cluley, a senior technology consultant at Sophos, Monday confirmed the vulnerabilities, and said Sophos has seen no in-the-wild attacks that exploit the bugs. In a blog post, Cluley also commended Ormandy's "responsible approach" to bug disclosure, noting that Sophos was informed of the vulnerabilities prior to the researcher detailing them publicly, which gave it time to patch most of them.

All told, Ormandy identified eight previously undocumented vulnerabilities. The first was reported to Sophos on September 10, 2012, and the most recent on October 5. Sophos said it began releasing fixes for the issues in October, and by Monday had issued patches for all but one of the vulnerabilities.

The two most critical bugs -- both now patched by Sophos -- stemmed from the manner in which the Sophos AV engine scans files that were compiled using Visual Basic 6, as well as malformed PDF files. Both bugs could be exploited by attackers to run arbitrary code on targeted PCs.

Other vulnerabilities patched by Sophos include a Web protection and blocking page that included a cross-site scripting flaw, a bug relating to how the Sophos AV buffer overflow protection system interacts with address space layout randomization (ASLR) -- present in all versions of Windows starting with Vista -- and errors relating to how Sophos AV handles CAB and malformed RAR files, either of which could lead to memory corruption errors.

The sole unpatched vulnerability discovered by Ormandy relates to a scanning problem. "Tavis Ormandy has provided examples of other malformed files which can cause the Sophos anti-virus engine to halt -- these are being examined by Sophos experts," said Cluley, who reported that the company had seen no evidence of this occurring in the wild. Interestingly, Apple users of the free Sophos AV product have reported that scans can regularly cause their Macs to hang, seemingly after encountering malformed files.

Ormandy has made a hobby out of investigating the Sophos antivirus software. Last year, he reverse-engineered the core AV engine in Sophos Antivirus 9.5 for Windows. At the time, Ormandy criticized the Sophos software for employing poor buffer-overflow protection and cryptography, and for including a host-intrusion prevention system that was compatible only with Windows XP and earlier versions of Windows.

From a coding standpoint, how does Sophos antivirus software compare with the competition? That question is difficult to answer, since Ormandy studied only one antivirus vendor's product, but with luck, his research will inspire others to undertake similar investigations of other antivirus products.

As for Sophos, however, Ormandy's research raises troubling questions. For example, why does a firm that sells security software seem to have side-stepped secure coding practices and failed to embrace modern attack-mitigation technologies, such as ASLR?

Many of the discovered vulnerabilities "could have been severely limited by correct security design, employing modern isolation and exploit mitigation techniques," said Ormandy. "However, Sophos either disables or opts out of most major mitigation technologies, even disabling them for other software on the host system. This makes the exploitation process straightforward, providing a homogeneous exploitation environment conducive to wide-scale attack."

According to Ormandy, after he notified Sophos of the bugs he'd discovered, the company requested that he withhold publishing the details until it had time to release related patches, and he agreed to do so. "Sophos [was] able to convince me they were working with good intentions, but they were clearly ill-equipped to handle the output of one cooperative security researcher working in his spare time," he said. "They told me they will work on this and will improve their internal security practices." No doubt a third research report from Ormandy in a year's time will review the company's results.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

Published: 2015-01-27
The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request.

Published: 2015-01-27
The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.

Published: 2015-01-27
Unquoted Windows search path vulnerability in the GoogleChromeDistribution::DoPostUninstallOperations function in installer/util/ in the uninstall-survey feature in Google Chrome before 40.0.2214.91 allows local users to gain privileges via a Trojan horse program in the ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.