×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Security Engineer Issues Sophos Warning

Soulskill posted about a year and a half ago | from the you-have-been-called-out dept.

Security 89

angry tapir writes "Google security engineer Tavis Ormandy discovered several flaws in Sophos antivirus and says the product should be kept away from high value information systems unless the company can avoid easy mistakes and issue patches faster. Ormandy has released a scathing 30-page analysis (PDF) 'Sophail: Applied attacks against Sophos Antivirus,' in which he details several flaws 'caused by poor development practices and coding standards,' topped off by the company's sluggishly response to the warning he had working exploits for those flaws. One of the exploits Ormandy details is for a flaw in Sophos' on-access scanner, which could be used to unleash a worm on a network simply by targeting a company receiving an attack email via Outlook. Although the example he provided was on a Mac, the 'wormable, pre-authentication, zero-interaction, remote root' affected all platforms running Sophos. (Ormandy released the paper as an independent researcher, not in his role as a Google employee.)"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

89 comments

Romney campaign in panic mode (-1)

Anonymous Coward | about a year and a half ago | (#41902857)

Key states are starting to break for Obama - Florida, Ohio, Wisconsin. John Boehner was spotted with tears streaming down his sun-baked face, and Paul Ryan was seen runnning for the nearest church to pray. Romney is probably somewhere rolling around in a pile of hundred dollar bills, consoling himself.

Re:Romney campaign in panic mode (-1)

Anonymous Coward | about a year and a half ago | (#41902901)

Tomayto, Tomahto, who cares. How many did Johnson and Stein win?

Re:Romney campaign in panic mode (-1, Troll)

Black Parrot (19622) | about a year and a half ago | (#41903011)

That's so far off topic that I can't resist commenting on it!!!

John Boehner was spotted with tears streaming down his sun-baked face

He must have been spending time on Krypton, because our sun doesn't bake faces orange.

Romney is probably somewhere rolling around in a pile of hundred dollar bills, consoling himself.

Right. That's like you or me rolling around in a pile of paper towels for consolation.

and Paul Ryan was seen runnning for the nearest church to pray

More likely he's running for campaign headquarters, to make sure he gets the shiv in first. And put in an order for some Ryan 2016 buttons.

Re:Romney campaign in panic mode (-1)

Anonymous Coward | about a year and a half ago | (#41903059)

I'm far more powerful than Jesus.

After all, can Jesus see what's inside your undies? I don't know, but with my security camera that I have installed in your undies, I certainly can!

Hahahahahaha!

Can someone explain (4, Insightful)

mrbluze (1034940) | about a year and a half ago | (#41902897)

Why a user would not simply install MS Security Essentials and be done with it?

Re:Can someone explain (2, Informative)

Anonymous Coward | about a year and a half ago | (#41902965)

Because large organisations don't have users installing unmanaged anti-virus software on company owned endpoints.

Sophos (at least in my country) barely rates a mention in the consumer/home user anti-virus market, but they are massive in the enterprise market.

Re:Can someone explain (5, Informative)

LordLimecat (1103839) | about a year and a half ago | (#41903147)

Security essentials is packaged for businesses as Forefront, and can be managed centrally.

Being "massive in the enterprise market" doesnt mean youre good at it.

Re:Can someone explain (4, Informative)

clarkn0va (807617) | about a year and a half ago | (#41904269)

Security essentials is packaged for businesses as Forefront

You're so last month! We're calling it System Center Endpoint Protection [microsoft.com] now, because it rolls off the tongue more naturally.

Re:Can someone explain (1)

cbhacking (979169) | about a year and a half ago | (#41904393)

LOL seriously? Microsoft branding idiots strike again, it seems...

Next up:
A) How many MS products called "Windows" aren't actually operating systems?
B) How many MS products called "Windows" don't actually use a window-based UI?
C) How many MS products called "Windows" can actually run Windows software?

Lots of other brand names to pick on, but seriously, Windows makes it too damn easy. MS marketing needs to get over its love affair with that brand; the results are that the company confuses typical (uneducated) consumers, and looks like an idiot to those who educate themselves.

Re:Can someone explain (1)

jamesh (87723) | about a year and a half ago | (#41904927)

While I agree with the thrust of your argument, the AV product is named System Center Endpoint Protection because System Center is the application used to centrally manage it (and the rest of your OS and application deployment needs) and Endpoint Protection is a well understood term, so in this case the name actually makes sense. I suspect they just got lucky.

Re:Can someone explain (0)

Anonymous Coward | about a year and a half ago | (#41905505)

It is in the center and at the endpoint at the same time! Amazing!

Re:Can someone explain (2)

CodeheadUK (2717911) | about a year and a half ago | (#41905539)

Yep. I used to look after Sophos in what should have been a very secure network.

Sophos set the virus signature updates out monthly on CD-ROM.

We replaced it with McAfee. Not much better, but at lest the updates hit every days or two.

Re:Can someone explain (1)

SpooForBrains (771537) | about a year and a half ago | (#41905571)

I've used Sophos in both the small business and enterprise incarnations, and both of them had a centrally managed way to download updates as frequently as you required. This wasn't even recently.

Re:Can someone explain (1)

CodeheadUK (2717911) | about a year and a half ago | (#41905627)

I don't remember when we switched. It was a few years back, but an update disc still finds its way to my desk every once in a while.

Re:Can someone explain (1)

CodeheadUK (2717911) | about a year and a half ago | (#41906539)

OK, I went back and checked date on the scripts I wrote to manage the changeover. It was Nov 2003. Jebus, where does the time go?

Re:Can someone explain (2)

MrIlios (2524820) | about a year and a half ago | (#41906025)

I've used Sophos for around 7 years at different organisations and have always received updates automatically over the internet every few hours. Perhaps the installation on the 'very secure network' was set up a very long time ago and never reviewed - either that or the 'very secure network' was designed not to be internet connected and the update was specified to be delivered via physical media? I've had a few issues with the software in past, including recent wide-spread false-positive problem (http://www.sophos.com/en-us/support/knowledgebase/118311.aspx), but generally I've found the central management and reporting utility to be pretty good.

Re:Can someone explain (0)

Anonymous Coward | about a year and a half ago | (#41911629)

Virus signature updates happen multiple times per day. The scanning engine is updated once a month.

Re:Can someone explain (-1)

Anonymous Coward | about a year and a half ago | (#41902975)

Posting as anonymous because I modded you down.

MSE is for desktop users, for home computers. It's absolutely not for industrial networks, or as stated in the summary "high value information systems" which are specifically targetted by blackhats for big profit.

Re:Can someone explain (2, Informative)

Anonymous Coward | about a year and a half ago | (#41903095)

Then again, Dave Kennedy recently recommended MSE at a security conference I went to. Says it's much better than most of the other AVs he tested by far. It might be a desktop oriented product, but it does the job.

Re:Can someone explain (1)

Gumbercules!! (1158841) | about a year and a half ago | (#41904451)

So what is this?
http://www.microsoft.com/en-us/server-cloud/system-center/endpoint-protection-2012.aspx [microsoft.com] - System Center Endpoint Protection

That's MSE with centrally managed enterprise control (formally known as ForeFront) and it's in use by a large number of organisations of substantial size (primarily because you "get it" along with other Microsoft products in your MS enterprise agreement).

MS Security Essentials on a Mac? (4, Funny)

dclozier (1002772) | about a year and a half ago | (#41903005)

I don't think there's an app for that. ;)

Re:MS Security Essentials on a Mac? (1)

cbhacking (979169) | about a year and a half ago | (#41904401)

Or on Linux. Sophos is available for both.

I feel terribly sorry for anybody who uses them, but hey, they *are* available!

Re:MS Security Essentials on a Mac? (0)

Anonymous Coward | about a year and a half ago | (#41909407)

Ask and you shall receive (though currently only the enterprise version)

http://blogs.technet.com/b/server-cloud/archive/2012/06/15/system-center-2012-extends-client-management-and-security-to-mac-and-linux.aspx

Re:MS Security Essentials on a Mac? (-1)

Anonymous Coward | about a year and a half ago | (#41905891)

Luckily for Mac and Linux users, their platforms will never reach any decent market share on desktops so very few people will bother writing exploits for them.

Re:Can someone explain (3, Informative)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#41903035)

Why a user would not simply install MS Security Essentials and be done with it?

Among other considerations(like central management), I'm pretty sure that the MSSE license frowns on use in anything larger than a home/home office type environment.

MSE is for home or small business use. (2)

cbhacking (979169) | about a year and a half ago | (#41903041)

Well for one thing, MSE only runs on Windows. Sophos runs on OS X and Linux as well. Remember, this is a business-oriented product.. In fact, one of the big concerns here is that there are so many bugs in the Sophos scanner that, if it's installed on a server (email, proxy/firewall, whatever), it's easy to compromise that server. This applies even if running Linux.

Re:Can someone explain (4, Informative)

Rennt (582550) | about a year and a half ago | (#41903043)

Users don't install Sophos. It's the kind of product that is marketed to the CEO level (thus forced on enterprise IT departments).

Re:Can someone explain (4, Informative)

Ritz_Just_Ritz (883997) | about a year and a half ago | (#41903215)

Bingo. I work at a large fortune 10 company with a few hundred thousand employees and it seems like a monthly occurrence where Sophos actively gets in the way. If it's not flagging benign content, it's causing resource problems on end-user systems. To call their support sluggish would be doing it a kindness. I believe we're actively looking for a replacement.

Re:Can someone explain (4, Funny)

cbhacking (979169) | about a year and a half ago | (#41904095)

I could email you a PDF to install that replacement for you...

No, not a PDF on *how* to install it, one that *would* do so (or rather, cause Sophos to do so) as soon as it entered your email server! :-)

Re:Can someone explain (3, Informative)

TheLink (130905) | about a year and a half ago | (#41904641)

And many here said I was stupid not to run antivirus software on my personal system. Fact is, Sophos and the rest of the AV idiots prove that the cure can be worse than the disease especially if you know how to avoid the disease.

I generally still believe that most normal Windows users are better off with some AV software, but nowadays when they still get infected and I still have to fix their frigging machines for them, it starts making me wonder whether they really are better off - the malware people do have access to the AV software so they can tweak their malware till it passes all of them.

Even though I don't use AV software, I won't get badly affected by most drive-bys since my browser does not run as the same user account as the account I use to log in to windows. The drive-by might set up the autorun and start up hooks, but they only apply to the browser account, which I don't use to log in. That browser has noscript and adblock too. I also use different browsers for banking (so pwning my Slashdot browser won't get you my bank stuff).

And I know how to upload stuff to virustotal to check before running it. So if the 30+ different AV software can't spot the virus, the virus would not be detected either if I installed AV software on my computer. The difference is the installed AV software would be using up my system resources every day, whereas I only need to do that check once in a long while. And the AV stuff is often exploitable[1] and they also have a habit of marking important stuff (or almost everything) as malware every few years.

If you pwn my video driver or do other stuff (zero day OS privilege escalation) then sure you can pwn me, but I bet the AV crap won't stop you either.

[1] Sophos, Symantec, McAfee, etc if you can crash them, they are likely to be exploitable, and their crappy software runs with higher privileges than my browsers.

Re:Can someone explain (2)

Xest (935314) | about a year and a half ago | (#41906855)

I don't know why the viewpoint your put forward is so unpopular on Slashdot, I've said the same sorts of things before and been modded into oblivion for it over the years.

It's a shame because it's true. If you're sensible in what you execute and don't visit untrusted websites with the likes of Javascript turned on in a browser running as administrator, and don't open fishy e-mail attachments etc. then there's really not much that can go wrong. You're not invulnerable by any measure, but the amount of times I've seen viruses fly right by AV software like McAfee and Sophos when I was working at tech support I'm not convinced you're any worse off either. What you do gain is system stability and system performance, as AV software is a horrendous drain on resources and tends to be of horrendous quality softwarewise, something this article points out too.

Honestly, fighting AV software always took up far far more time when I worked in support than viruses and other malware did, and regularly existed on machines that had AV installed.

The problem is that still, to this day, AV vendors are pushing a rather archaic model that is largely reactive in dealing with a number of types of threat. A number of viruses over the years demonstrated how fruitless the method was when the likes of msblast.exe spread so far and wide before the AV vendors offered any kind of defence against it that the damage was already done by the time their software had any relevance to securing systems against it. The only real defence at the time was a sensible patching regime against it.

Re:Can someone explain (1)

tibit (1762298) | about a year and a half ago | (#41907269)

I don't even think that having Javascript turned on is a problem. Not having it turned on pretty much makes the most of the web nonfuctional. Javascript isn't a vastly larger exploitation target than the html parser and DOM engine. Sure turning off parts of the browser makes you a lesser target, but it's not like, say, Java that has comparably a ton of holes.

Re:Can someone explain (0)

Anonymous Coward | about a year and a half ago | (#41907923)

I run noscript on firefox so I can choose when javascript runs.

I have not had a virus since... ever. I have been using computers for 40 years. I have used every single version of DOS and Windows, many versions of MacOS, I've used MVS and OS/400 and Apollo Domain and OpenBSD and linux and Wang 2200s and RSTS/E and VAX/VMS et cetera ad nauseum. My system survived the Cornell Worm because I ran TGV on VMS instead of OSF1 or Ultrix.

People who insist that they have a god-given right to remain ignorant about the capabilities and operations of their tools (that is, the typical Windows or Mac user) will be exploited. Others can choose noscript and educate themselves and be happy.

I've been using global networks 40+ hours a week since the 1980s and have never gotten a virus because I don't run code *unless* I know how the author makes money and I don't use Microsoft email clients.

Re:Can someone explain (1)

Xest (935314) | about a year and a half ago | (#41908199)

Yes, I meant to say for untrusted sites. For most sites I visit I do have Javascript enabled, but if I was going somewhere untrusted then that wouldn't be the case.

Re:Can someone explain (1)

tibit (1762298) | about a year and a half ago | (#41909863)

So you're essentially betting that the untrusted site will exploit your javascript vm, versus, say, the good old image parsers, html parser, etc. :)

Re:Can someone explain (2)

TheLink (130905) | about a year and a half ago | (#41908569)

As I mentioned, if you run the browser as a different (even more restricted) user, the damage is usually limited, unless the malware uses a privilege escalation exploit. So even if you have javascript enabled, you could still be OK.

From a Computer Science perspective the AV vendors are attempting something "harder" than solving the Halting Problem. They are not always able to have the full inputs or the full description of the program, and "harm"/"evilness" sometimes is harder to define.
Halting Problem: given a program and its inputs figure out whether it will halt or run forever.
Malware detection problem: given part of a program, and part of the inputs figure out whether it will cause significant harm.

Hence I prefer sandboxing, or running stuff with more limited privileges. Which is a bit like solving the Halting Problem by setting a limit on how long the program can run, no matter what it tries to do.

Of course in the real world, heuristics are sometimes good enough. But when the malware authors also have access to VirusTotal and AV software in general, they can ensure that their stuff passes all the tests.

I believe Android and other systems require the program to specify up front what privileges they want (and presumably then enforce it with sandboxing). I've proposed something similar before to Ubuntu: https://bugs.launchpad.net/ubuntu/+bug/156693 [launchpad.net]

Requiring new programs to state what privileges they need (before deciding whether to run them or not) would be way better than the AV approach. Makes it easier to judge whether they will do something fishy or not - a screensaver is normally not likely to need network access.

Re:Can someone explain (0)

Anonymous Coward | about a year and a half ago | (#41907469)

> Fact is, Sophos and the rest of the AV idiots prove that the cure can be worse than the disease especially if you know how to avoid the disease.

Among the rest of those "idiots" there is Eugene Kaspersky. It is fairly well-know that his anti-Stuxnet/anti-Duqu collaboration with the ITU (an UN organization mostly led by ex-USSR educated african bureaucrats) has essentially prevented an US/IL-led war on Iran so far (and thus, potentially saving the world from WW3). That Eugene guy is using his 900 million USD and his Kaspersky Lab company resources to wage a single-person crusade against cyber-warfare. Lucky he lives next door to the Kremlin, else the Pentagon and the izzies would have had him bombed to smitherers by now.

It's So Nice (0)

Anonymous Coward | about a year and a half ago | (#41908741)

How you Americans an Jews "legitimize" your Permanent Warfare. So nice how you rationalize why it is basically OK to drive away families from their land at gunpoint. So nice when you whine about "your loved ones" being killed in retaliation.
Mr Ahmadinejad merely helps the oppressed an downtrodden to fight back against the injustice and brutality financed by US taxpayers. Now take your SUV and burn Arab oil stolen at gunpoint to "feel free".

Re:Can someone explain (0)

Anonymous Coward | about a year and a half ago | (#41910745)

I got to disagree. For the German state of Bavaria (you might know those cars branded BMW :)) Sophos has scored a state-wide deal to supply colleges, universities and students with their products. End users ("students" in this context) will rather likely install this if their campus IT says, "Here, get this premium, enterprise-grade AV for free!"

Because it's (0)

Anonymous Coward | about a year and a half ago | (#41903123)

not enough

Re:Can someone explain (1)

HideyoshiJP (1392619) | about a year and a half ago | (#41903203)

A consumer can and definitely should if they're using free antivirus. A business with more than 10 PCs cannot. It's against the EULA. They're supposed to get Forefront.

Re:Can someone explain (1)

Harassed (166366) | about a year and a half ago | (#41905837)

I've been recommending MSE for ages now as it seems to work fine for me. In a corporate environment, I have also long recommended the equivalent System Center Endpoint Protection (SCEP formerly Forefront Endpoint Protection). However, recent AV tests show that SCEP/FEP (and MSE which uses the same AV engine) are significantly worse than any of the competition.

Take a look at http://dennistechnologylabs.com/reports/s/a-m/2012/ [dennistechnologylabs.com] which puts SCEP at the bottom of the heap (although Trend doesn't fare much better to be honest)

Then look at the slightly older comparison at http://www.av-test.org/en/tests/corporate-user/julaug-2012/ [av-test.org] (FEP gets 2/6 for protection - lower than the next nearest - McAfee and Trend - both of which get 3.5/6

Re:Can someone explain (1)

p.rican (643452) | about a year and a half ago | (#41905901)

Easy.

I have a MAC.

I needed a decent freely available anti-virus scanner and Sophos came highly recommended. On a side note, On my Win7 machine at home I do use MSE and recommend to to anyone using Windows. I'm kinda paranoid so I also keep MalwareBytes and CCCleaner on my machines.

Re:Can someone explain (2)

tibit (1762298) | about a year and a half ago | (#41907311)

CCleaner isn't for the paranoid, it's simply a tool every administrator needs. Its functionality has nary nothing to do with viruses or malware. If you value your time, you won't be waiting for the microsoft-written add/remove software box to come up. It takes 15 fucking seconds to come up on a clean, less than a year old i7 system running Windows 7. Ccleaner's remove software pane comes up instantly.

Re:Can someone explain (1)

acoustix (123925) | about a year and a half ago | (#41908545)

Why a user would not simply install MS Security Essentials and be done with it?

Because if I can't trust Microsoft to make a relatively secure OS then there's no way in hell I'm trusting the same company/developers to make a properly working security software to run on top of the OS.

Third party security software makes sense.

IronPort.. (-1)

Anonymous Coward | about a year and a half ago | (#41902899)

...more like RootPort!

release the lawyers! (1)

Black Parrot (19622) | about a year and a half ago | (#41902939)

Let the lawsuits begin!!!

Any wagers on whether they sue Google, based on some strained argument that they are responsible for his views, even when acting independently?

Re:release the lawyers! (3, Interesting)

cbhacking (979169) | about a year and a half ago | (#41903021)

Sue for what? This was responsibly disclosed, and the facts are straightforward so it's not like they can sue for libel. In fact, Sophos requested and was granted a number of redactions and different phrasings throughout the paper. You can read about it in the document history section, near the bottom.

Yes, I read the whole paper... some 8 hours ago. Slashdot is slow.

Re:release the lawyers! (1)

Desler (1608317) | about a year and a half ago | (#41903295)

Yeah I'll bet $10000 they don't sue.

Re:release the lawyers! (2, Funny)

Anonymous Coward | about a year and a half ago | (#41903357)

Again with the $10,000 bets! Mitt, shouldn't you be focused on the election right now?

Re:release the lawyers! (1)

Sulphur (1548251) | about a year and a half ago | (#41906689)

Yeah I'll bet $10000 they don't sue.

Get the model release,

'Cause Sasquatch took a picture of you.

Helpcenter? (0)

Anonymous Coward | about a year and a half ago | (#41902989)

So he lets Sophos have a 2 month window, but when Microsoft doesn't give him special priority rights and enters him into the same bug system everyone else gets, he full discloses?

Wow where would we be if not for ol Tavvy. I work in emerging threats for a large company, and totally remember that wave of helpcenter exploits we had BEFORE he fully disclosed, and then AFTER he disclosed we totally had zero exploits that copied his complicated embedded vbscript chain with the""%%A" sequences exactly.

Google probably only keep him employed so he doesn''t fully disclose something he finds and doesn't get a response from the vendor 19 seconds after sending the email to their public email address.

Released.... in August! (4, Informative)

BLKMGK (34057) | about a year and a half ago | (#41903015)

This was the subject of a talk given at Black Hat (or was it DEFCON?) in August out in 'Vegas. Why it's news now suddenly is a mystery to me. The guy did thoroughly hack the product to include reversing it's signature encryption (homebrew crypto?!) and figuring out that some features simply didn't work. However at the time of the talk he also told the audience that he had been working with the company and that they had changed some things and would be switching to standard crypto. I'd still agree the company comes across as slimy since some of their claims were pure crap (some signatures apparently obviously machine generated despite claims they didn't do that etc.) but now months later to post this like it's news? Really? Maybe he should have had this paper ready to roll right after the talk?

http://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Ormandy [blackhat.com]

Re:Released.... in August! (4, Insightful)

BLKMGK (34057) | about a year and a half ago | (#41903039)

Oh yeah, I asked the guy after his talk if he was going to research any other AV products - his response was that no he wasn't. I wish he would or that perhaps someone else would. I'm pretty sure Sophos isn't the high bar in AV but I'm betting that there may be some others with some pretty crappy behavior out there that haven't been highlighted. Why not give them a shot too? Wasn't clear why these guys were such a target although he did mention their being used in various hardware products as an AV engine as part of the reason .

Re:Released.... in August! (1)

WD (96061) | about a year and a half ago | (#41906621)

One has to wonder if the Sophos targeting was spite-driven in any way. Back in 2010, Sophos kind of trashed Tavis for disclosing a vul in Windows: http://nakedsecurity.sophos.com/2010/06/15/tavis-ormandy-pleased-website-exploits-microsoft-zeroday/ [sophos.com]

Re:Released.... in August! (1)

fatphil (181876) | about a year and a half ago | (#41909287)

But on the flipside, more people have trashed Graham Clueless than have ever complained about Tavis.

For example, I like the way that Clueless calls something which was made public 5 days after MS was notified of it a "zeroday". Those with enough brains to count up to five would be more inclined to call that a "fiveday" exploit, assuming they like the "N-day" moniker at all, which not all do.

Re:Released.... in August! (0)

Anonymous Coward | about a year and a half ago | (#41903697)

It was a *talk* before, which overviewed the hack. It didn't provide all critical details or reproducible code. Now that 100% of it is out, I'd say it's news worthy. The paper also overviews additional vulnerabilities not discussed in the talk.

Re:Released.... in August! (1)

cbhacking (979169) | about a year and a half ago | (#41904117)

Actually, it's not even 100% out. There's a ton of stuff in there that he's vague about, like not mentioning a single specific area where his fuzzer found something, plus at least one area where Sophos specifically requested that a vuln be concealed, and he agreed.

I'm not going to call him a sell-out for doing so - responsible disclosure is a tricky business, and it looks like Sophos is (somewhat slowly, but apparently in good faith) fixing some of the more egregious issues, so there's no huge push to disclose in order to force their hand. With that said, there are definitely still some serious issues that they have not fixed yet.

Re:Released.... in August! (2)

BLKMGK (34057) | about a year and a half ago | (#41904233)

Meh, he gave enogh detail on how their sandbox couldn't handle specific processor instructions and would bypass files that had them to be pretty effective against the AV I'd say. I think there was also a specific number of instructions the sandbox would run before passing the file too but I might be thinking of another AV.

I'll grant that he didn't give a script that one could just copy and paste but I think he gave plenty of information to a pretty interested audience that could act on it back in August! If nothing he described their crypto well enough for someone to duplicate his work if inclined and pointed out many areas that were weak. The paper just documents and supports his claims is what I'd say. Even when he spoke he admitted that Sophos was working to fix things already. Sophos wasn't squeeky clean, don't get me wrong, but this is so long after the fact that I'd pretty much forgotten about it so to me it comes across as his wanting to make a second splash with the research is all...

Re:Released.... in August! (0)

Anonymous Coward | about a year and a half ago | (#41909545)

This is the second paper in the series. The first one, which contains the information you're referring to, was indeed released a while back.

Re:Released.... in August! (0)

Anonymous Coward | about a year and a half ago | (#41911655)

You should not be surprised. Tavis Ormandy is an arrogant asshole, the biggest I've seen at Google so far.

--
Marcan, professional asshole [mailto]

Official Sophos Response. (5, Informative)

Deathlizard (115856) | about a year and a half ago | (#41903063)

From http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/ [sophos.com] and reprinted here in case of slashdotting...

As a security company, keeping customers safe is Sophos's primary responsibility. As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible.

Recently, researcher Tavis Ormandy contacted Sophos about an examination he had done of Sophos's anti-virus product, identifying a number of issues:

A remote code execution vulnerability was discovered in how the Sophos anti-virus engine scans malformed Visual Basic 6 compiled files. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 10 September 2012
Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)

The Sophos web protection and web control Layered Service Provider (LSP) block page was found to include a XSS flaw. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 10 September 2012
Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)

An issue was identified with the BOPS technology in Sophos Anti-Virus for Windows and how it interacted with ASLR on Windows Vista and later. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 10 September 2012
Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)

An issue was identified in how Sophos protection interacts with Internet Explorer's Protected Mode. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 10 September 2012
Roll-out of a fix for Sophos customers cbegan: 5 November 2012 (56 days later)

Vulnerabilities were found in how Sophos's anti-virus engine handles malformed CAB files. These vulnerabilities could cause the Sophos engine to corrupt memory. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 10 September 2012
Roll-out of a fix for Sophos customers completed: 22 October 2012 (42 days later)

Vulnerabilities were found in how Sophos's anti-virus engine handles malformed RAR files. These vulnerabilities could cause the Sophos engine to corrupt memory. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 10 September 2012
Roll-out of a fix for Sophos customers began: 5 November 2012 (56 days later)

A remote code execution vulnerability was discovered in how the Sophos anti-virus engine scans malformed PDF files. Sophos has seen no evidence of this vulnerability being exploited in the wild.
First reported to Sophos: 5 October 2012
Roll-out of a fix for Sophos customers began: 5 November 2012 (31 days later)

Tavis Ormandy has provided examples of other malformed files which can cause the Sophos anti-virus engine to halt - these are being examined by Sophos experts. Sophos has seen no evidence of this occurring in the wild.
First reported to Sophos: 4 October 2012
Roll-out of a fix for Sophos customers will begin: 28 November 2012 (55 days later)

Best practice
Sophos customers are reminded of the following best practices:

1. Keep systems patched and up to date

2. Upgrade to the latest version of Sophos software to get the best protection

Responsible disclosure
Sophos believes in responsible disclosure.

The work of Tavis Ormandy, and others like him in the research community, who choose to work alongside security companies, can significantly strengthen software products. On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach.

Re:Official Sophos Response. (2, Funny)

Anonymous Coward | about a year and a half ago | (#41903297)

Best practice
Sophos customers are reminded of the following best practice:

0. Uninstall Sophos

Re:Official Sophos Response. (5, Insightful)

Anonymous Coward | about a year and a half ago | (#41903299)

What's worse?
1. That a security company had so many serious flaws in a flagship product
2. That the same security company considers it OK to take (on average) over 40 days to fix the issues. Remember that this is an Anti-virus product. One of the main use cases is to respond quickly to flaws in other software, to cover the period between the flaw becoming known, and the vendor releasing a fix.
3. That most clients won't see a problem with 2.

Re:Official Sophos Response. (1)

Copperhamster (1031604) | about a year and a half ago | (#41903855)

What's worse is Symantec or McAfee would throw lawyers at the problem and otherwise ignore it while counting their piles of money.

Re:Official Sophos Response. (2, Insightful)

Anonymous Coward | about a year and a half ago | (#41904139)

1. Well now it has that many fewer flaws. Yeah, it seems like a lot, but I'm not convinced Sophos has significantly more flaws than any other software. The previous AV product we used (McAfee) was buggy as hell, all the time. How many patches has Windows or Linux, or any other AV product or frankly any other significant piece of non-trivial software product on the market received? I'm confident the answer is 'more than 8' in all cases.

2. 40 days for a vulnerability which has not been disclosed publicly and is not being exploited in the wild isn't the worse thing in the world. It's not great, but it could be a McAfee product, and your computer could just freeze up periodically for minutes at a time when it updates.

3. The company I work for uses Sophos. Sure, I'd like to see the problems fixed sooner. Were the circumstances different (publicly release vulnerability and/or actively exploited) no doubt it would have been patched sooner, but the patch would have been less thoroughly tested. I'm happy with this response.

Re:Official Sophos Response. (1, Troll)

flyingfsck (986395) | about a year and a half ago | (#41904803)

or
4. That the OS in question is of such low quality that it requires third party band-aids to provide some level of protection against known exploits that remain unfixed for several years?
5. That nobody sees a problem with 4.

Re:Official Sophos Response. (0)

Anonymous Coward | about a year and a half ago | (#41904397)

"Sophos has seen no evidence of this occurring in the wild."

And Sony thought their network was secure, even as it was being pwned.
Just because you didn't see if while you had your fingers in your ears going lalalalalala no problems here lalaalalalala, does not mean it was not found and exploited.
What is more important for the Sophos name, finding evidence their product failed or not finding it?

42 days later... (1)

g4b (956118) | about a year and a half ago | (#41905187)

This fall, never before seen in cinema, a new type of hero, the geeky Sophos Patcher, finds himself fighting a virus in corporate HQ: The question of the universe and everything and zombies... Get ready to be patched...

C / C++ Responsible For Many Of the Bugs (0)

Anonymous Coward | about a year and a half ago | (#41908919)

Several of these bugs sound as if they were typical C and/or C++ issues. These are caused by developers being under pressure to "deliver features" by management. They simply can't deliver perfect code. Nobody in a commercial setting can (maybe with the exception of flight control, and even those have some ugly videos on youtube).

We need to move away from C or C++ towards Memory Safe Languages, as this will immediately eliminate a large part (about 50% of reported) exploits. The often cited "overhead" is actually not that dramatic (probably less than 15% of CPU time) and there is no need to use VMs and bytecode to achieve memory safety.

Here is my attempt to build a memory-safe derivative of C++, complete with synchronous destructors and refcounted pointers:

http://sourceforge.net/p/sappeurcompiler/code-0/2/tree/trunk/

And yes, it is quite rough around the edges, but it demonstrates that you don't need to pay the Java or C# tax to get more robustness. Neither do you need to run the security risk called "JVM".

Arrogance/ego/"INDEPENDANT" hiatus. (-1)

Anonymous Coward | about a year and a half ago | (#41903137)

Eventho what he has published can be critical, the tone used in his "paper" and the pseudo scholar format he tried to use kind of make me this this ole process is still ego oriented.

He probable considered that their response was to slow and that it was not meeting his attention expectation so he decided to slip in some arrogance.

People know travis is smart but he could keep his witty wisdom to him self and go straight to the point. The paper is really not straight to the point and mabey he should have asked for peer review of his format.

One bullet over the target two bullets in the pond.

Re:Arrogance/ego/"INDEPENDANT" hiatus. (0)

Anonymous Coward | about a year and a half ago | (#41903607)

Why to so many people look at the clothes people are wearing, their hair cut, shave, attitude, the car they drive etc when forming opinions about the information other people put out? None of that changes the points and the information.

Take the information and use it as you see fit and form your own opinion based on the information, judge it for what it is.

Re:Arrogance/ego/"INDEPENDANT" hiatus. (2)

cbhacking (979169) | about a year and a half ago | (#41904191)

Frankly, a bit of arrogance is pretty normal here. I mean, this guy does what most people not only can't do, but treat as a kind of black magic... and he does it well. Lots of vulnerabilities are found each year. Some of them are known to be serious enough to be a major threat (i.e. all layers of defense can be cut through to produce a working exploit). A handful of them have exploits actually written, though usually with benign payloads (popping up Calculator is a popular choice in the community). Tavis not only did that, he did it multiple times to a high-profile target in the security field! That's a hell of a coup.

I actually think the tone of the paper was pretty good. It didn't read like some lawyer/marketing-whitewashed press release, it wasn't painfully dry and boring to wade through like so many academic papers, and it wasn't really gloating either. Yeah, he calls Sophos out and doesn't pull his punches much when pointing out their mistakes, but that's how the security world works, and this is doubly a matter of security (not just security flaws, but in a security product). Besides, he *did* pull his punches some; read the stuff on the revision history of the paper, and you'll see several indications of changes made at Sophos' behest.

Re:Arrogance/ego/"INDEPENDANT" hiatus. (1)

fatphil (181876) | about a year and a half ago | (#41911461)

"it wasn't really gloating either."

He's toned things down in the last year - have you read the original sophail from spring last year? He rips sophos' head off and pisses down their gullet. It's arrogant showboating, but absolutely perfect given the shambles he's covering. There's nothing wrong in making stupid companies which pretend that they are not stupid appear stupid.

Re:Arrogance/ego/"INDEPENDANT" hiatus. (1)

ark1 (873448) | about a year and a half ago | (#41906337)

About two years ago Sophos was highly critical of the way Tavis disclosed a high profile vulnerability in Windows calling it irresponsible.

http://nakedsecurity.sophos.com/2010/06/11/google-engineer-act-irresponsibly-microsoft-zeroday-disclosure/ [sophos.com]

Looks like Tavis did not too took it too well and has been since going after Sophos products.His tone in the latest paper is simply a reflection of the feud between the two.

Re:Arrogance/ego/"INDEPENDANT" hiatus. (1)

fatphil (181876) | about a year and a half ago | (#41911515)

his tone on the previous paper (sophail, April 2011, IIRC) is much more a reflection of that. Except it's not a feud there, it's a DM-wearing kick-fest, and Sophos is the intoxicated tramp. You can almost hear /Singing in the Rain/ playing whilst reading it.

Oh Yeah, Shoot Messenger, Ignore Issues (0)

Anonymous Coward | about a year and a half ago | (#41908979)

That will certainly improve, well, financial results. Meanwhile Chicom Intel will walk away with your balls and you will discover it only when you want to make sex with momma the day after tomorrow.

We are led by sleazebags who first and foremost are experts in covering up and covering their rectums. See RSA/Lockheed and how Chicom got them.

SOPHOS - FTW !! (0)

Anonymous Coward | about a year and a half ago | (#41903167)

FTW ??

Fuck
The
World
!
!

Hospital (1)

tbird81 (946205) | about a year and a half ago | (#41904119)

A hospital I worked at had a horrible USB stick virus (which I ended up getting). Sophos didn't work, and the IT guy I reported it to just updated the definition file, and tried to scan again (and it obviously didn't work).

The thing that annoyed me the most was there was no way I could easily forward the virus files to Sophos. No way of communicating with them. I guess they just don't care. Making software work costs money. That money is best spend on marketing.

Fortunately there was nothing important on my card, and I have never allowed autorun, but it made me hate AV software even more.

Re:Hospital (4, Interesting)

myxiplx (906307) | about a year and a half ago | (#41904257)

No way to easily report the files? You just email them in, a 30 second phone call to Sophos will get you the details.

In a previous role we would help clean users home computers from time to time, and we discovered a good number of new viruses. I submitted half a dozen viruses to Sophos that weren't being picked up by any virus scanners. They confirmed them all within a few days, and signatures were added within weeks. The whole process is incredibly easy.

Re:Hospital (1)

hawkinspeter (831501) | about a year and a half ago | (#41905059)

Signatures were added within weeks?!

I can't believe people pay for Sophos when they can't even add keep their virus definitions current. As much as I dislike Microsoft software, MSE is a much better bet.

AV security isn't (0)

Anonymous Coward | about a year and a half ago | (#41904477)

It's hardly unique. Lots of AV has giant flaws. Here's one we tested recently: eScan [itweb.co.za]

Six months to patch (0)

Anonymous Coward | about a year and a half ago | (#41906433)

From TFA:

Sophos initially estimated it would take six months to produce a patch that involved fixing a “single line of code”. According to Ormandy, Sophos subsequently agreed to two months.

That's nothing... Microsoft hasn't fixed a single-line error that's been in SQL Server Reporting Services since it was released, causing it to break CSV encoded files when a field contains a linebreak. [It's supposed to quote the field, but the line in question throws away the result of the string.replace() function.] That's been nearly twelve years.

Official Official Sophos Response (1)

john.willis1 (2759567) | about a year and a half ago | (#41907599)

Just in case someone wants the numbers.

Includes eight points of document, attack points, response and versions of product in which they were fixed and dates the fixed versions released.

Sophos KB Article 118424 [sophos.com]

Where this all started back in July 2012:
Small children shouldn't cast stones [sophos.com]


Ongoing "drama"
A dish best served with Ketchup [sophos.com]

The "sequel"
Never let a good Rant get the best of you [blogspot.com]

And today "When last we Left Lost.."
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...