VERT Alert - November 9, 2012
November 9, 2012 2:30 PM (PT)
The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire 's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.
A recently released paper by Tavis Ormandy details a number of critical vulnerabilities plaguing Sophos Anti-Virus products. While this is not the first time an AV company has seen issues like these, it's important to be aware of these flaws due to the number of issues disclosed at a single point in time.
The issue with the greatest potential impact is the multiple file format parsing issues. So far PDF, VB6, CAB, and RAR file parsing has been fixed, additional patches slated to be released later this month. Vulnerabilities of this type in AV products are always dangerous since email is generally processed before the end user even reads it.
In addition to file format vulnerabilities, Ormandy identified issues with the Sophos browser security add-ons, which breaks IE Protected Mode (a mode in IE meant to increase security). Additionally, a universal Cross-Site Scripting (XSS) vulnerability was introduced, allowing users to violate the Same Origin Policy. This is considered to be a fatal flaw in the web security world.
Finally, Sophos introduced Buffer Overflow Protection for their customers via a product known as BOPS. This product was compiled without Address Space Layout Randomization (ASLR), a feature that randomizes the start-up memory location of binaries to increase the difficulty of exploitation.
Original Paper: https://lock.cmpxchg8b.com/sophailv2.pdf
Sophos Blog Post: http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/
Exposure & Impact
If you have an unpatched installation of Sophos, you're vulnerable to remote code execution by simply checking your email. Additional threats are present every time you browse a website.
The upside is that fixes are currently available for all of the disclosed issues; additional fixes will be coming soon. Users should apply these fixes if they decide to continue running Sophos anti-virus. If you cannot install these fixes, you should consider an alternate AV solution.
Remediation & Mitigation
IP360 Coverage- To determine which machines are running Sophos look for Sophos in the application portion of your scan or use Focus to search for app:"Sophos".
PureCloud Coverage - To determine which machines are running Sophos look for Sophos in the application portion of your scan