Security researcher Tavis Ormandy discovered critical vulnerabilities in the antivirus product developed by U.K.-based security firm Sophos and advised organizations to avoid using the product on critical systems unless the vendor improves its product development, quality assurance and security response practices.
Ormandy, who works as an information security engineer at Google, disclosed details about the vulnerabilities he found in a research paper entitled “Sophail: Applied attacks against Sophos Antivirus” that was published on Monday. Ormandy noted that the research was performed in his spare time and that the views expressed in the paper are his own and not those of his employer.
The paper contains details about several vulnerabilities in the Sophos antivirus code responsible for parsing Visual Basic 6, PDF, CAB and RAR files. Some of these flaws can be attacked remotely and can result in the execution of arbitrary code on the system.
Ormandy even included a proof-of-concept exploit for the PDF parsing vulnerability which he claims requires no user interaction, no authentication and can be easily transformed into a self-spreading worm.
The researcher built the exploit for the Mac version of Sophos antivirus, but noted that the vulnerability also affects Windows and Linux versions of the product and the exploit can easily be translated to those platforms.
The PDF parsing vulnerability can be exploited by simply receiving an email in Outlook or Mail.app, Ormandy said in the paper. Because Sophos antivirus automatically intercepts input and output (I/O) operations, opening or reading the email is not even necessary.
“The most realistic attack scenario for a global network worm is self-propagation via email,” Ormandy said. “No users are required to interact with the email, as the vulnerability will be automatically exploited.”
However, other attack methods are also possible—for example, by opening any file of any type provided by an attacker; visiting a URL (even in a sandboxed browser), or embedding images using MIME cid: URLs into an email that is opened in a webmail client,the researcher said. “Any method an attacker can use to cause I/O is enough to exploit this vulnerability.”
Ormandy also found that a component called the “Buffer Overflow Protection System” (BOPS) that’s bundled with Sophos antivirus, disables the ASLR (address space layout randomization) exploit mitigation feature on all Windows versions that support it by default, including Vista and later.
“It is simply inexcusable to disable ASLR systemwide like this, especially in order to sell a naive alternative to customers that is functionally poorer than that provided by Microsoft,” Ormandy said.
A website blacklisting component for Internet Explorer installed by Sophos antivirus cancels the protection offered by the browser’s Protected Mode feature, the researcher said. In addition, the template used to display warnings by the blacklisting component introduces a universal cross-site scripting vulnerability that defeats the browser’s Same Origin Policy.
The Same Origin Policy is “one of the fundamental security mechanisms that makes the internet safe to use,” Ormandy said. “With the Same Origin Policy defeated, a malicious website can interact with your Mail, Intranet Systems, Registrar, Banks and Payroll systems, and so on.”
Ormandy’s comments throughout the paper suggest that many of these vulnerabilities should have been caught during the product development and quality assurance processes.
The researcher shared his findings with Sophos in advance and the company released security fixes for the vulnerabilities disclosed in the paper. Some of the fixes were rolled out on Oct. 22, while the others were released on Nov. 5, the company said Monday in a blog post.
There are still some potentially exploitable issues discovered by Ormandy through fuzzing—a security testing method—that were shared with Sophos, but weren’t publicly disclosed. Those issues are being examined and fixes for them will start to be rolled out on Nov. 28, the company said.
“As a security company, keeping customers safe is Sophos’s primary responsibility,” Sophos said. “As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible.”
“It’s good that Sophos has been able to deliver the suite of fixes within weeks, and without disrupting customers’ usual operations,” Graham Cluley, a senior technology consultant at Sophos, said Tuesday via email. “We are grateful that Tavis Ormandy found the vulnerabilities, as this has helped make Sophos’s products better.”
However, Ormandy wasn’t satisfied with the time it took Sophos to patch the critical vulnerabilities he reported. The issues were reported to the company on September 10, he said.
“In response to early access to this report, Sophos did allocate some resources to resolve the issues discussed, however they were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher,” Ormandy said. “A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease.”
“Sophos claim their products are deployed throughout healthcare, government, finance and even the military,” the researcher said. “The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient.”
Ormandy’s paper contains a section that describes best practices and includes the researcher’s recommendations for Sophos customers, like implementing contingency plans that would allow them to disable Sophos antivirus installations on short notice.
“Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit,” he said. “Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency plans to handle this scenario if you choose to continue deploying Sophos.”