
Multiple critical vulnerabilities in Sophos (antivirus) products - daave
http://seclists.org/fulldisclosure/2012/Nov/31
======
chops
This is funny to me in an admittedly schadenfreude kind of way, as I've had to
deal with their false positive system before, and it was an exercise in
frustration.

In short, one of my products is a guild hosting system for games like WoW. One
of my tools offer is a profile harvesting and uploading system in the form of
an executable that simply uploaded the Lua files generated by my WoW Profiling
Mod (collecting things like character level, name, class, professions, skills,
etc - nothing personal or potentially dangerous). After getting a few customer
emails about Sophos detecting it as a virus, I contacted Sophos to let them
know about it.

After verifying that it did indeed not contain a virus, they decided to
_still_ flag it as a supposed "PUA (Potentially Unwanted Software) or Adware".
I protested, saying that no one would ever accidentally install this (it's not
bundled with anything, it's a direct download), nor does it generate ads, nor
does it do anything the user doesn't expect it to do, which is exclusively
uploading character profile information to their website. In no way should be
classified alongside Adware.

They responded with something of the order "Sophos is for business computers,
and because this is for games, it potentially unwanted on the business
machine." They refused to remove the flag.

So my Sophos users just have to accept that Sophos basically tells them that
my app contains malware - since who's going to see "PUA/Adware" and think
anything other than _"This is adware? Screw this, not worth it. BRB cancelling
this scam of a service."_

So I have absolutely no sympathy for Sophos, and it's funny to me that a
company supposedly dedicated to keeping malware and viruses off business
computers is riddled with security vulnerabilities, and then tries to brush
them under the table because they have not yet been detected to have been
exploited. Stay classy, Sophos.

------
revelation
Money quote:

 _Sophos were able to convince me they were working with good intentions, but
they were clearly ill-equipped to handle the output of one co-operative
security researcher working in his spare time._

The very detailed account of his interactions with them prior to disclosure is
a good read.

------
viraptor
This is actually an amazing paper - well worth reading. It's like a long list
of what not to do in your application (even not a security-related one).

Looks like in a couple of days running Sophos may be more dangerous than not
having it installed at all...

------
randomfool
Incredible list of flaws that a security company has no excuse releasing with.
The ASLR flaws alone show a fundamental misunderstanding of basic security
practices.

It seems from this that very little effort has been put into fuzz testing
Sophos products. With the complexities involved in anti-virus scanning I
really have to wonder how many other security products are actually the
largest holes in the system.

------
daeken
> Sophos products should only ever be considered for low-value non-critical
> systems and never deployed on networks or environments where a complete
> compromise by adversaries would be inconvenient.

IMO, that should hold true for just about every piece of third-party software
that you're installing on your networks/computers without having a thorough
audit done on it and the integration with your systems. At the end of the day,
the security of your systems is _your_ problem, not anyone else's; while
Sophos dropped the ball here and is responsible for the vulnerabilities
themselves, it doesn't make you any less hosed if they're used to compromise
your systems.

------
fjarlq
Response by Sophos:

[http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-
sop...](http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/)

~~~
daeken
"Sophos has seen no evidence of any of these vulnerabilities being exploited
in the wild." in bold, along with "Sophos has seen no evidence of this
vulnerability being exploited in the wild." in bold on every single
vulnerability. That is incredibly, incredibly disingenuous.

Don't ever downplay the severity of a vulnerability because you believe it
hasn't been exploited in the wild _yet_. If unpatched systems remain and the
vulnerability is juicy enough, people _will_ exploit it. Statements like
theirs are complete and utter bullshit; they do more harm than good for the
security of their products and customer systems.

~~~
aidenn0
Once a patch exists (as in this case), it becomes a bit more meaningful, as
the (non)existence of wild 0-day vulnerabilities is important. On the other
hand if Travis could come up with more vulnerabilities than they can handle, I
wouldn't be surprised to see wild 0-day exploits before the next set of
patches on 11/28, as this headline will prompt more scrutiny into their
product.

------
sklivvz1971
> As demonstrated in this paper, installing Sophos Antivirus exposes machines
> to considerable risk.

I've worked at Sophos and, in a way, I am not surprised. It's a company
growing really fast, away from London where the top developers are...

------
gmac
In brief: If you're running Sophos, anyone can make your computer do anything
by sending you an email you don't even read.

I've just sent this paper to the security departments at the universities I'm
affiliated with, both of whom provide and recommend Sophos.

I would really hope that as a security company Sophos couldn't possibly
survive this.

