As a security company keeping our customers safe is our primary responsibility, therefore we investigate all vulnerability reports and implement the best course of action in order to protect our customers.
Recently, researcher Tavis Ormandy contacted us about an examination he was doing of Sophos’s anti-virus product – not in terms of possible vulnerabilities – but instead looking at how various components of it were implemented.
Having assessed the findings in Tavis’s report (available as a PDF), Sophos can assure customers that their protection is not compromised.
* Tavis has questioned an encryption algorithm we use in a few cases. This algorithm is being phased out. However it should be clear that this algorithm is not used to secure data that could compromise users’ computers or the customer network.
Furthermore, it’s important to understand that this algorithm is not used in our encryption products which meet global accepted encryption standards (Common criteria, FIPS).
* Tavis has questioned the performance of Sophos buffer overflow protection and made other statements questioning the quality of Sophos protection. Naturally Sophos is committed to continually improving performance and protection and regularly participates in independent third party tests. In fact, we consistently rank well in these tests.
* Tavis has identified a weakness in the security of transporting files down to users’ computers. This can only be exploited if an updating location has been compromised. Whilst the likelihood of this is low, Sophos is in the process of fixing this weakness in the next release. Furthermore, if an updating location is configured according to best practices, it is very hard to compromise.
Customers are reminded of the following best practices:
1. Ensure that access to updating locations is limited to accounts with low privilege (read only)
2. Keep systems patched and up to date
3. Upgrade to the latest version of Sophos software to get the best protection
Sophos believes in responsible disclosure. We appreciate the help from Tavis Ormandy, and others like him in the research community, in working with us to make our products stronger and more secure.
5 comments on “Tavis Ormandy and Sophos”
Excellent reply, Graham.
Do you think that maybe this whole stunt was Tavis' answer to http://bit.ly/pHN3St ?
Sophos may not want to stir the hornet's nest, but according to this article tavis ormandy's paper may have made some critical mistakes
You should also note that Sophos Live! scanning where potentially malicious files are submitted back to Sophos are encrypted using a combination of RSA and AES.
This seems a disappointingly lightweight response to the detailed and specific warning. The issue is not whether Sophos 'ranks well' in buffer overflow protection generally, but whether Sophos accepts the published exploits are genuine or not, and if real, whether they have been remedied, or not.
You say you can 'assure customers that their protection is not compromised' but until a more in-depth response is available, let me tell you, I am not feeling assured. After with the recent fiasco of Sophos detecting itself as a virus and breaking its own update mechanism, questions are being asked about the resources and competence of the company, responses to this warning will be critical.
I have asked our license manager to find out when we are due to renew our Sophos subscription, I'm sure I'm not alone, it would be nice to see Sophos step up to this challenge, rather than hide and disappear.
As soon as we were contacted by Tavis Ormandy, following the inspection he had carried out on our products, we took this very seriously and worked with him quickly to understand and verify his findings.
The vulnerabilities that Tavis Ormandy reported were indeed genuine, and we openly described them in more detail on the Naked Security Blog and our Sophos Knowledgebase, as soon as they were made public.
It is not our intention to hide anything and we always strive to be as open as possible in all situations where our customers and partners are impacted.