Tavis Ormandy and Sophos

by Graham Cluley on August 5, 2011 | 3 Comments

Filed Under: Uncategorized

As a security company keeping our customers safe is our primary responsibility, therefore we investigate all vulnerability reports and implement the best course of action in order to protect our customers.

Recently, researcher Tavis Ormandy contacted us about an examination he was doing of Sophos's anti-virus product - not in terms of possible vulnerabilities - but instead looking at how various components of it were implemented.

Tavis Ormandy's slides

Having assessed the findings in Tavis's report (available as a PDF), Sophos can assure customers that their protection is not compromised.

    * Tavis has questioned an encryption algorithm we use in a few cases. This algorithm is being phased out. However it should be clear that this algorithm is not used to secure data that could compromise users' computers or the customer network.

    Furthermore, it's important to understand that this algorithm is not used in our encryption products which meet global accepted encryption standards (Common criteria, FIPS).

    * Tavis has questioned the performance of Sophos buffer overflow protection and made other statements questioning the quality of Sophos protection. Naturally Sophos is committed to continually improving performance and protection and regularly participates in independent third party tests. In fact, we consistently rank well in these tests.

    * Tavis has identified a weakness in the security of transporting files down to users' computers. This can only be exploited if an updating location has been compromised. Whilst the likelihood of this is low, Sophos is in the process of fixing this weakness in the next release. Furthermore, if an updating location is configured according to best practices, it is very hard to compromise.

Customers are reminded of the following best practices:

    1. Ensure that access to updating locations is limited to accounts with low privilege (read only)

    2. Keep systems patched and up to date

    3. Upgrade to the latest version of Sophos software to get the best protection

Sophos believes in responsible disclosure. We appreciate the help from Tavis Ormandy, and others like him in the research community, in working with us to make our products stronger and more secure.

Tags: , , ,

3 Responses to Tavis Ormandy and Sophos

  1. cliff says:
    August 7, 2011 at 10:46 am

    Excellent reply, Graham.
    Do you think that maybe this whole stunt was Tavis' answer to http://bit.ly/pHN3St ?

    Reply
  2. Anon says:
    August 8, 2011 at 1:18 pm

    Sophos may not want to stir the hornet's nest, but according to this article tavis ormandy's paper may have made some critical mistakes
    http://anti-virus-rants.blogspot.com/2011/08/tavi...

    Reply
  3. Phil says:
    December 16, 2011 at 11:14 am

    You should also note that Sophos Live! scanning where potentially malicious files are submitted back to Sophos are encrypted using a combination of RSA and AES.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

About the author

Graham Cluley is senior technology consultant at Sophos. The readers of Computer Weekly voted him security blogger of the year in 2009 and 2010, and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which was nice. He was also named "Best Security Blogger" by the readers of SC Magazine in 2011. You can subscribe to Graham's updates on Facebook, follow him on Twitter and circle him on Google Plus for regular updates.