Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/10/2011
09:22 AM
50%
50%

Google Researcher Dissects Sophos Antivirus Software

AV product vendors don't provide sufficient technical details on how their products work, researcher says at Black Hat USA.

Black Hat
A security researcher at Black Hat USA, a UBM TechWeb event in Las Vegas, last week shared his findings from reverse-engineering Sophos' core antivirus engine software in an effort to uncover more details on just how the product actually works.

Google researcher Tavis Ormandy, who conducted the research independently, performed an in-depth analysis of Sophos' core AV engine in Sophos Antivirus 9.5 for Windows. Ormandy's premise for his research was that when AV firms falsely or inadequately advertise their features in product specifications, it misleads customers.

"AV vendors won't explain what it is they do," he said. They don't publish technical specifications, so there's no way to really understand or test their claims, he said.

And poorly implemented features in AV software expand the attack surface, according to Ormandy, who pointed out such weaknesses in the Sophos engine. These are not traditional vulnerabilities, but instead how Sophos designed the code and implemented its features, he said.

Among the flaws in the design were some in the product's signatures, which Ormandy described as weak and relying heavily on CRC32 and "matching irrelevant or dead-code sequences." He also scrutinized Sophos' buffer overflow protection system (BOPS) in its host-intrusion prevention system, which he said works only in earlier Windows versions (prior to Vista) and employs weak runtime exploit mitigation, as well as weak crypto to protect it from attackers.

Overall, Sophos employs a weak encryption scheme within its products that is dated and could ultimately be beaten, he said. "Sophos tried to hide the key within the product [with this encryption scheme]," Ormandy said. "That reduces it to an obfuscation scheme. Sophos uses obfuscation where real cryptography could work."

Among the other features Ormandy studied in Sophos' product were native code emulation, unpackers, and "genes and genotypes." He concluded that its native code emulation could be bypassed or detected by an attacker, and its native unpackers could be gamed by bypassing the blacklisting feature.

Read the rest of this article on Dark Reading.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
CVE-2019-19709
PUBLISHED: 2019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.