Tavis Ormandy and Sophos

Filed Under: Uncategorized

As a security company keeping our customers safe is our primary responsibility, therefore we investigate all vulnerability reports and implement the best course of action in order to protect our customers.

Recently, researcher Tavis Ormandy contacted us about an examination he was doing of Sophos's anti-virus product - not in terms of possible vulnerabilities - but instead looking at how various components of it were implemented.

Tavis Ormandy's slides

Having assessed the findings in Tavis's report (available as a PDF), Sophos can assure customers that their protection is not compromised.

    * Tavis has questioned an encryption algorithm we use in a few cases. This algorithm is being phased out. However it should be clear that this algorithm is not used to secure data that could compromise users' computers or the customer network.

    Furthermore, it's important to understand that this algorithm is not used in our encryption products which meet global accepted encryption standards (Common criteria, FIPS).

    * Tavis has questioned the performance of Sophos buffer overflow protection and made other statements questioning the quality of Sophos protection. Naturally Sophos is committed to continually improving performance and protection and regularly participates in independent third party tests. In fact, we consistently rank well in these tests.

    * Tavis has identified a weakness in the security of transporting files down to users' computers. This can only be exploited if an updating location has been compromised. Whilst the likelihood of this is low, Sophos is in the process of fixing this weakness in the next release. Furthermore, if an updating location is configured according to best practices, it is very hard to compromise.

Customers are reminded of the following best practices:

    1. Ensure that access to updating locations is limited to accounts with low privilege (read only)

    2. Keep systems patched and up to date

    3. Upgrade to the latest version of Sophos software to get the best protection

Sophos believes in responsible disclosure. We appreciate the help from Tavis Ormandy, and others like him in the research community, in working with us to make our products stronger and more secure.

, , ,

You might like

5 Responses to Tavis Ormandy and Sophos

  1. cliff · 1524 days ago

    Excellent reply, Graham.
    Do you think that maybe this whole stunt was Tavis' answer to http://bit.ly/pHN3St ?

  2. Anon · 1523 days ago

    Sophos may not want to stir the hornet's nest, but according to this article tavis ormandy's paper may have made some critical mistakes

  3. Phil · 1393 days ago

    You should also note that Sophos Live! scanning where potentially malicious files are submitted back to Sophos are encrypted using a combination of RSA and AES.

  4. Anon · 1066 days ago

    This seems a disappointingly lightweight response to the detailed and specific warning. The issue is not whether Sophos 'ranks well' in buffer overflow protection generally, but whether Sophos accepts the published exploits are genuine or not, and if real, whether they have been remedied, or not.

    You say you can 'assure customers that their protection is not compromised' but until a more in-depth response is available, let me tell you, I am not feeling assured. After with the recent fiasco of Sophos detecting itself as a virus and breaking its own update mechanism, questions are being asked about the resources and competence of the company, responses to this warning will be critical.

    I have asked our license manager to find out when we are due to renew our Sophos subscription, I'm sure I'm not alone, it would be nice to see Sophos step up to this challenge, rather than hide and disappear.

    • Sean · 1066 days ago

      Hi Anon,

      As soon as we were contacted by Tavis Ormandy, following the inspection he had carried out on our products, we took this very seriously and worked with him quickly to understand and verify his findings.

      The vulnerabilities that Tavis Ormandy reported were indeed genuine, and we openly described them in more detail on the Naked Security Blog and our Sophos Knowledgebase, as soon as they were made public.

      It is not our intention to hide anything and we always strive to be as open as possible in all situations where our customers and partners are impacted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley