Tavis Ormandy and Sophos


As a security company keeping our customers safe is our primary responsibility, therefore we investigate all vulnerability reports and implement the best course of action in order to protect our customers.

Recently, researcher Tavis Ormandy contacted us about an examination he was doing of Sophos’s anti-virus product – not in terms of possible vulnerabilities – but instead looking at how various components of it were implemented.

Tavis Ormandy's slides

Having assessed the findings in Tavis’s report (available as a PDF), Sophos can assure customers that their protection is not compromised.

    * Tavis has questioned an encryption algorithm we use in a few cases. This algorithm is being phased out. However it should be clear that this algorithm is not used to secure data that could compromise users’ computers or the customer network.

    Furthermore, it’s important to understand that this algorithm is not used in our encryption products which meet global accepted encryption standards (Common criteria, FIPS).

    * Tavis has questioned the performance of Sophos buffer overflow protection and made other statements questioning the quality of Sophos protection. Naturally Sophos is committed to continually improving performance and protection and regularly participates in independent third party tests. In fact, we consistently rank well in these tests.

    * Tavis has identified a weakness in the security of transporting files down to users’ computers. This can only be exploited if an updating location has been compromised. Whilst the likelihood of this is low, Sophos is in the process of fixing this weakness in the next release. Furthermore, if an updating location is configured according to best practices, it is very hard to compromise.

Customers are reminded of the following best practices:

    1. Ensure that access to updating locations is limited to accounts with low privilege (read only)

    2. Keep systems patched and up to date

    3. Upgrade to the latest version of Sophos software to get the best protection

Sophos believes in responsible disclosure. We appreciate the help from Tavis Ormandy, and others like him in the research community, in working with us to make our products stronger and more secure.