All the latest UK technology news, reviews and analysis

Google researcher warns firms not to use Sophos AV for mission-critical systems

07 Nov 2012
security risk management

A Google security researcher has warned businesses that have deployed anti-virus tools from Sophos software that they may be less secure than they thought, having uncovered flaws with posed “significant risk to global networks and infrastructure”.

Tavis Ormandy, who published his findings independently, said the scale of the problem with multiple memory corruption and product design flaws means firms should seriously question whether Sophos' security products were suitable to mission-critical systems.

“Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient,” he wrote, discussing his findings.

Ormandy said he had warned Sophos about the flaws two months ago, giving the firm time to deliver fixes before publishing.

“Sophos did allocate some resources to resolve the issues discussed, however they were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher,” he wrote.

Sophos has disputed these claims.

“As a security company, keeping customers safe is Sophos's primary responsibility,” a company representative wrote on its Naked Security blog.

Sophos also outlined when it had received notification from Ormandy about flaws, and the dates at which it had rolled out fixes.

“Ormandy has provided examples of other malformed files which can cause the Sophos anti-virus engine to halt - these are being examined by Sophos experts. Sophos has seen no evidence of this occurring in the wild,” the Sophos blogger added.

Ormandy said Sophos' slow response indicated it was ill-equipped to protect customers' vital systems.

"Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit," he wrote.

This is not the first time Ormandy has trashed Sophos' security. Back in 2011, he published a paper accusing the firm of using weak encryption techniques and poor malware signature detection.

Hostilities first started in 2010, when Sophos spokesman Graham Cluley attached Ormandy for publishing details of a Windows XP vulnerability without giving Microsoft enough time to devise a fix.

These days, relations seem a little better – at least on the surface.

“On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach,” Sophos wrote about Ormandy's latest disclosures.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
More on Security
What do you think?
blog comments powered by Disqus

Windows 7 end of mainstream support

What are your plans for when Microsoft ends mainstream support for Windows 7 in January 2015?

Popular Threads

Powered by Disqus
LG G3 in gold black and white

LG G3 vs Galaxy S5 video

We pit the two Korean firms' flagship smartphones against each other

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Xamarin Developer - iOS Apps - Berskshire - 55k

Xamarin / iOS / Objective-C / .Net / Mobile / Developer...

Contract Java Developer, Birmingham, £350- 400 per day, 6 month

Contract Java Developer, Birmingham, £350- 400 per day...

SQL Server DBA/Developer, London, Up to £50k

SQL Server DBA/Developer, London, Up to £50k My client...

iOS Developer - London - 6 Month Contract

My client based in London is currently in need of an...
To send to more than one email address, simply separate each address with a comma.