Vulnerabilities / Threats
11/7/2012
01:04 PM
50%
50%

Sophos AV Teardown Reveals Critical Vulnerabilities

Antivirus vendor says it's patched all software flaws disclosed by researcher, some of which could be used to remotely control Windows, Mac, or Linux system.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Sophos has patched seven vulnerabilities in its antivirus software, including bugs that could be used by an attacker to take control of a Windows, Mac, or Linux system.

By exploiting the vulnerabilities, an attacker may be able to gain control of the system, escalate privileges, or cause a denial-of-service condition, according to a related security bulletin released the U.S. Computer Emergency Readiness Team (US-CERT).

The vulnerabilities were identified by Tavis Ormandy, a security researcher at Google, after he reverse-engineered the Sophos antivirus application in his spare time. "By design, antivirus products introduce a vast attack surface to a hostile environment. The vendors of these products have a responsibility to uphold the highest secure development standards possible to minimize the potential for harm caused by their software," said Ormandy in a related research paper, "Sophail: Applied attacks against Sophos Antivirus."

[ Tempted to strike back by hacking a hacker? Read this first: 9 Facts: Play Offense Against Security Breaches. ]

Ormandy said the paper focuses on "the process a sophisticated attacker would take when targeting Sophos users," noting that it applies to all platforms that Sophos supports, including Windows, Mac, Linux and their SAVI SDK product. SAVI SDK refers to the software development toolkit that Sophos OEM partners can use to integrate its antivirus application into other security software.

Graham Cluley, a senior technology consultant at Sophos, Monday confirmed the vulnerabilities, and said Sophos has seen no in-the-wild attacks that exploit the bugs. In a blog post, Cluley also commended Ormandy's "responsible approach" to bug disclosure, noting that Sophos was informed of the vulnerabilities prior to the researcher detailing them publicly, which gave it time to patch most of them.

All told, Ormandy identified eight previously undocumented vulnerabilities. The first was reported to Sophos on September 10, 2012, and the most recent on October 5. Sophos said it began releasing fixes for the issues in October, and by Monday had issued patches for all but one of the vulnerabilities.

The two most critical bugs -- both now patched by Sophos -- stemmed from the manner in which the Sophos AV engine scans files that were compiled using Visual Basic 6, as well as malformed PDF files. Both bugs could be exploited by attackers to run arbitrary code on targeted PCs.

Other vulnerabilities patched by Sophos include a Web protection and blocking page that included a cross-site scripting flaw, a bug relating to how the Sophos AV buffer overflow protection system interacts with address space layout randomization (ASLR) -- present in all versions of Windows starting with Vista -- and errors relating to how Sophos AV handles CAB and malformed RAR files, either of which could lead to memory corruption errors.

The sole unpatched vulnerability discovered by Ormandy relates to a scanning problem. "Tavis Ormandy has provided examples of other malformed files which can cause the Sophos anti-virus engine to halt -- these are being examined by Sophos experts," said Cluley, who reported that the company had seen no evidence of this occurring in the wild. Interestingly, Apple users of the free Sophos AV product have reported that scans can regularly cause their Macs to hang, seemingly after encountering malformed files.

Ormandy has made a hobby out of investigating the Sophos antivirus software. Last year, he reverse-engineered the core AV engine in Sophos Antivirus 9.5 for Windows. At the time, Ormandy criticized the Sophos software for employing poor buffer-overflow protection and cryptography, and for including a host-intrusion prevention system that was compatible only with Windows XP and earlier versions of Windows.

From a coding standpoint, how does Sophos antivirus software compare with the competition? That question is difficult to answer, since Ormandy studied only one antivirus vendor's product, but with luck, his research will inspire others to undertake similar investigations of other antivirus products.

As for Sophos, however, Ormandy's research raises troubling questions. For example, why does a firm that sells security software seem to have side-stepped secure coding practices and failed to embrace modern attack-mitigation technologies, such as ASLR?

Many of the discovered vulnerabilities "could have been severely limited by correct security design, employing modern isolation and exploit mitigation techniques," said Ormandy. "However, Sophos either disables or opts out of most major mitigation technologies, even disabling them for other software on the host system. This makes the exploitation process straightforward, providing a homogeneous exploitation environment conducive to wide-scale attack."

According to Ormandy, after he notified Sophos of the bugs he'd discovered, the company requested that he withhold publishing the details until it had time to release related patches, and he agreed to do so. "Sophos [was] able to convince me they were working with good intentions, but they were clearly ill-equipped to handle the output of one cooperative security researcher working in his spare time," he said. "They told me they will work on this and will improve their internal security practices." No doubt a third research report from Ormandy in a year's time will review the company's results.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.