Sophos products and Tavis Ormandy

Sophos products and Tavis Ormandy

Updated 6 November 2012: We’ve updated the below article to give precise dates of when Sophos was informed of vulnerabilities, and when fixes were rolled-out to customers.

As a security company, keeping customers safe is Sophos’s primary responsibility. As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible.

Recently, researcher Tavis Ormandy contacted Sophos about an examination he had done of Sophos’s anti-virus product, identifying a number of issues:

  • A remote code execution vulnerability was discovered in how the Sophos anti-virus engine scans malformed Visual Basic 6 compiled files. Sophos has seen no evidence of this vulnerability being exploited in the wild.

      First reported to Sophos: 10 September 2012

      Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)

  • The Sophos web protection and web control Layered Service Provider (LSP) block page was found to include a XSS flaw. Sophos has seen no evidence of this vulnerability being exploited in the wild.

      First reported to Sophos: 10 September 2012

      Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)

  • An issue was identified with the BOPS technology in Sophos Anti-Virus for Windows and how it interacted with ASLR on Windows Vista and later. Sophos has seen no evidence of this vulnerability being exploited in the wild.

      First reported to Sophos: 10 September 2012

      Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)

  • An issue was identified in how Sophos protection interacts with Internet Explorer’s Protected Mode. Sophos has seen no evidence of this vulnerability being exploited in the wild.

      First reported to Sophos: 10 September 2012

      Roll-out of a fix for Sophos customers began: 5 November 2012 (56 days later)

  • Vulnerabilities were found in how Sophos’s anti-virus engine handles malformed CAB files. These vulnerabilities could cause the Sophos engine to corrupt memory. Sophos has seen no evidence of this vulnerability being exploited in the wild.

      First reported to Sophos: 10 September 2012

      Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)

  • Vulnerabilities were found in how Sophos’s anti-virus engine handles malformed RAR files. These vulnerabilities could cause the Sophos engine to corrupt memory. Sophos has seen no evidence of this vulnerability being exploited in the wild.

      First reported to Sophos: 10 September 2012

      Roll-out of a fix for Sophos customers began: 5 November 2012 (56 days later)

  • A remote code execution vulnerability was discovered in how the Sophos anti-virus engine scans malformed PDF files. Sophos has seen no evidence of this vulnerability being exploited in the wild.

      First reported to Sophos: 5 October 2012

      Roll-out of a fix for Sophos customers began: 5 November 2012 (31 days later)

  • Tavis Ormandy provided samples of other malformed files, with no associated vulnerabilities, which can cause the Sophos anti-virus engine to behave unexpectedly. After being examined by Sophos experts, improvements were made to the robustness of the engine when it scans such files.

      First reported to Sophos: 4 October 2012

      Roll-out of a fix for Sophos customers will begin: 28 November 2012 (55 days later)

Best practice

Sophos customers are reminded of the following best practices:

1. Keep systems patched and up to date

2. Upgrade to the latest version of Sophos software to get the best protection

Responsible disclosure

Sophos believes in responsible disclosure.

The work of Tavis Ormandy, and others like him in the research community, who choose to work alongside security companies, can significantly strengthen software products. On behalf of its partners and customers, Sophos appreciates Tavis Ormandy’s efforts and responsible approach.