12 comments

[ 2.8 ms ] story [ 40.7 ms ] thread
This is actually an amazing paper - well worth reading. It's like a long list of what not to do in your application (even not a security-related one).

Looks like in a couple of days running Sophos may be more dangerous than not having it installed at all...

"Sophos has seen no evidence of any of these vulnerabilities being exploited in the wild." in bold, along with "Sophos has seen no evidence of this vulnerability being exploited in the wild." in bold on every single vulnerability. That is incredibly, incredibly disingenuous.

Don't ever downplay the severity of a vulnerability because you believe it hasn't been exploited in the wild yet. If unpatched systems remain and the vulnerability is juicy enough, people will exploit it. Statements like theirs are complete and utter bullshit; they do more harm than good for the security of their products and customer systems.

Once a patch exists (as in this case), it becomes a bit more meaningful, as the (non)existence of wild 0-day vulnerabilities is important. On the other hand if Travis could come up with more vulnerabilities than they can handle, I wouldn't be surprised to see wild 0-day exploits before the next set of patches on 11/28, as this headline will prompt more scrutiny into their product.
"As far as we know, our computer has never had an undetected error." -Weisert.
Sophos patched some of the vulns back in October, and the rest today.
Money quote:

Sophos were able to convince me they were working with good intentions, but they were clearly ill-equipped to handle the output of one co-operative security researcher working in his spare time.

The very detailed account of his interactions with them prior to disclosure is a good read.

> Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient.

IMO, that should hold true for just about every piece of third-party software that you're installing on your networks/computers without having a thorough audit done on it and the integration with your systems. At the end of the day, the security of your systems is your problem, not anyone else's; while Sophos dropped the ball here and is responsible for the vulnerabilities themselves, it doesn't make you any less hosed if they're used to compromise your systems.

> As demonstrated in this paper, installing Sophos Antivirus exposes machines to considerable risk.

I've worked at Sophos and, in a way, I am not surprised. It's a company growing really fast, away from London where the top developers are...

Incredible list of flaws that a security company has no excuse releasing with. The ASLR flaws alone show a fundamental misunderstanding of basic security practices.

It seems from this that very little effort has been put into fuzz testing Sophos products. With the complexities involved in anti-virus scanning I really have to wonder how many other security products are actually the largest holes in the system.

This is funny to me in an admittedly schadenfreude kind of way, as I've had to deal with their false positive system before, and it was an exercise in frustration.

In short, one of my products is a guild hosting system for games like WoW. One of my tools offer is a profile harvesting and uploading system in the form of an executable that simply uploaded the Lua files generated by my WoW Profiling Mod (collecting things like character level, name, class, professions, skills, etc - nothing personal or potentially dangerous). After getting a few customer emails about Sophos detecting it as a virus, I contacted Sophos to let them know about it.

After verifying that it did indeed not contain a virus, they decided to still flag it as a supposed "PUA (Potentially Unwanted Software) or Adware". I protested, saying that no one would ever accidentally install this (it's not bundled with anything, it's a direct download), nor does it generate ads, nor does it do anything the user doesn't expect it to do, which is exclusively uploading character profile information to their website. In no way should be classified alongside Adware.

They responded with something of the order "Sophos is for business computers, and because this is for games, it potentially unwanted on the business machine." They refused to remove the flag.

So my Sophos users just have to accept that Sophos basically tells them that my app contains malware - since who's going to see "PUA/Adware" and think anything other than "This is adware? Screw this, not worth it. BRB cancelling this scam of a service."

So I have absolutely no sympathy for Sophos, and it's funny to me that a company supposedly dedicated to keeping malware and viruses off business computers is riddled with security vulnerabilities, and then tries to brush them under the table because they have not yet been detected to have been exploited. Stay classy, Sophos.

In brief: If you're running Sophos, anyone can make your computer do anything by sending you an email you don't even read.

I've just sent this paper to the security departments at the universities I'm affiliated with, both of whom provide and recommend Sophos.

I would really hope that as a security company Sophos couldn't possibly survive this.