Sophos is in the news again, and it’s not good. Back in September, SecureState released a Threat Update on Sophos and how it classified itself as malware. Sophos is once again in the news for several vulnerabilities discovered by Tavis Ormandy, a security researcher who is employed at Google. Ormandy released aresearch paper that contained several vulnerabilities within Sophos code, specifically the code responsible for parsing VB6, PDF, RAR, and CAB files. These flaws can allow a remote attacker to execute code on the system.
The most startling vulnerability found by Ormandy was the PDF parsing vulnerability. This vulnerability can be exploited by simply receiving an email in Outlook. Sophos will automatically intercept the input and output operations, so that opening or reading the email is not even required. “The most realistic attack scenario for a global network worm is self-propagation via email. No users are required to interact with the email, as the vulnerability will be automatically exploited.” –Ormandy
Ormandy also went on to state that the Buffer Overflow Protection System implemented within Sophos disables the ASLR (address space layout randomization) exploit mitigation feature on Windows. “It is simply inexcusable to disable ASLR systemwide like this, especially in order to sell a naïve alternative to customers that is functionally poorer than that provided by Microsoft.” -Ormandy
Most of these vulnerabilities should have been discovered and fixed during product development and the QA process. The fact that the product wasn’t demonstrates that Sophos failed in their primary responsibility to keep customers safe. With regards to this recent news, Sophos has already patched several of these issues, as Ormandy contacted Sophos with the vulnerabilities prior to release. Sophos has also stated that the remaining issues will be fixed in a release on November 28. Overall, it’s been a few rough months for Sophos; if you currently have a Sophos implementation, ensure that your systems are patched whenever updates are released.