All the latest UK technology news, reviews and analysis


Google researcher warns firms not to use Sophos AV for mission-critical systems

07 Nov 2012
malware virus security threat breach

A Google security researcher has warned businesses that have deployed anti-virus tools from Sophos software that they may be less secure than they thought, having uncovered flaws with posed “significant risk to global networks and infrastructure”.

Tavis Ormandy, who published his findings independently, said the scale of the problem with multiple memory corruption and product design flaws means firms should seriously question whether Sophos' security products were suitable to mission-critical systems.

“Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient,” he wrote, discussing his findings.

Ormandy said he had warned Sophos about the flaws two months ago, giving the firm time to deliver fixes before publishing.

“Sophos did allocate some resources to resolve the issues discussed, however they were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher,” he wrote.

Sophos has disputed these claims.

“As a security company, keeping customers safe is Sophos's primary responsibility,” a company representative wrote on its Naked Security blog.

Sophos also outlined when it had received notification from Ormandy about flaws, and the dates at which it had rolled out fixes.

“Ormandy has provided examples of other malformed files which can cause the Sophos anti-virus engine to halt - these are being examined by Sophos experts. Sophos has seen no evidence of this occurring in the wild,” the Sophos blogger added.

Ormandy said Sophos' slow response indicated it was ill-equipped to protect customers' vital systems.

"Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit," he wrote.

This is not the first time Ormandy has trashed Sophos' security. Back in 2011, he published a paper accusing the firm of using weak encryption techniques and poor malware signature detection.

Hostilities first started in 2010, when Sophos spokesman Graham Cluley attached Ormandy for publishing details of a Windows XP vulnerability without giving Microsoft enough time to devise a fix.

These days, relations seem a little better – at least on the surface.

“On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach,” Sophos wrote about Ormandy's latest disclosures.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
More on Security
What do you think?
blog comments powered by Disqus
Poll

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?
21%
13%
4%
22%
29%
11%

Popular Threads

Powered by Disqus
Sony Xperia Z2 Tablet powered by Android KitKat 4.4

Sony Xperia Z2 Tablet video

We take a look at the lightweight, waterproof tablet

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv33

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery

rdc2

iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Software Development Engineer

Develop: Customise: Configure. Maximise your technical...

Project Manager

Hotcourses – Project Manager Salary - £30k to £38k...

Head of IT

A Head of IT is required by a large property services...

Web Developer - HTML5, CSS, PHP, JavaScript, JQuery.

Fantastic opportunity to join a forward-thinking expanding...
To send to more than one email address, simply separate each address with a comma.