Google information security engineer Tavis Ormandy recently uncovered several critical security flaws in Sophos' anti-virus software.
"The holes can be reliably and easily exploited by hackers to compromise the computers the software is supposed to defend," writes The Register's John Leyden. "Specifically, the antivirus scanner fails to safely examine encrypted PDFs and VisualBasic files, which could arrive in an email or website download; these documents can be crafted to trigger flaws within the software and gain control of the system."
"Outside of the various vulnerabilities, Ormandy even accused Sophos products of harming security protections in Windows, claiming the firm’s Buffer Overflow Protection System (BOPS) effectively disabled Address Space Layout Randomisation (ASLR) on all Microsoft Windows platforms that have Sophos installed," writes TechWeekEurope's Tom Brewster. "This could allow 'attackers to develop reliable exploits for what might otherwise have been safe systems.'"
"The researcher shared his findings with Sophos in advance and the company released security fixes for the vulnerabilities disclosed in the paper," writes CIO.com's Lucian Constantin. "Some of the fixes were rolled out on Oct. 22, while the others were released on Nov. 5, the company said Monday in a blog post. There are still some potentially exploitable issues discovered by Ormandy through fuzzing -- a security testing method -- that were shared with Sophos, but weren't publicly disclosed. Those issues are being examined and fixes for them will start to be rolled out on Nov. 28, the company said."
"Thus far, none of the exploits have been seen in the wild, Sophos officials maintained, although with the disclosure now fully public, it won’t take much for cybercriminals to unleash an attack," writes Channelnomics' Stefanie Hoffman. "Partners were quick to point out that there’s often a world of difference between proof of concept exploits and active attacks. 'It’s not good obviously and they need to fix it,' said Andrew Plato, CEO of Beaverton, Ore.-based Anitian Enterprise Security. 'But there’s a very, very big difference between vulnerabilities discovered in the lab and in the wild. That difference is huge. Most people don’t appreciate that difference.'"