Vulnerability analysis at SophosLabs

Today’s malware commonly spreads by exploiting unpatched vulnerabilities in the operating system and other software such as web browsers and web browser plug-ins. Administrators ought to be aware of the risk introduced by an unpatched vulnerability. Also vital for administrators is knowing which are the most commonly exploited vulnerabilities so that the application of security patches can be appropriately prioritized for installation – a rather complex task in an enterprise environment.

Many good sources on vulnerability information are available on the internet today, including various mailing lists and vendors specializing in providing security intelligence information, but putting the information in the context of a specific production environment can prove challenging.

Sophos users are well aware that SophosLabs have been analyzing common vulnerabilities and exploits as well as providing protection against the exploits for many years now. We have also provided information and advice about vulnerabilities and exploits on a case by case basis. By doing so, we have bolstered our expertise in estimating the threat level of newly disclosed vulnerabilities and other parts of the vulnerability analysis process.

Corporate administrators are a conscientious group who are very interested in security information, which is of course understandable, since they need to determine the seriousness of a particular threat, the likelihood of a vulnerability being exploited, whether any exploits have been published, in order to make a correct decision on which application to patch and when to patch them. Since we are very close to the various sources of security information, especially those that are malware related, SophosLabs is also in the position to provide more information about newly discovered vulnerabilities and reasonably predict the risk of their exploitation.

I am very pleased to announce that we have formed a dedicated vulnerability analysis team inside SophosLabs that will, starting with Microsoft’s August 2008 Security Bulletin, regularly provide you with information about newly discovered exploitable vulnerabilities in Microsoft’s and other companies’ products which are known to be commonly used in corporate environment.

The vulnerability analyses, published on Sophos’ website, will contain Sophos risk ratings together with the information about newly discovered exploits, new detections we published for these exploits as well as results of analyses and tests conducted in SophosLabs. While the emphasis will be on vulnerabilities that are most likely to be exploited by malware, we also aim to provide the information about critical vulnerabilities that can be exploited by a human attacker.

We are now patiently waiting for new Microsoft security patches to be published and to start our analysis as soon as patches are available. I expect the first set of analyses to be published tomorrow UK time on our blog. Seven critical and four important patches have been announced which gives us quite a lot of material to publish. Very exciting times for us in the lab. Until then…

If you have any comments or suggestions on vulnerability analysis process in SophosLabs please email me at