Google researcher warns firms not to use Sophos AV for mission-critical systems

A Google security researcher has warned businesses that have deployed anti-virus tools from Sophos software that they may be less secure than they thought, having uncovered flaws with posed “significant risk to global networks and infrastructure”.

Tavis Ormandy, who published his findings independently, said the scale of the problem with multiple memory corruption and product design flaws means firms should seriously question whether Sophos' security products were suitable to mission-critical systems.

“Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient,” he wrote, discussing his findings.

Ormandy said he had warned Sophos about the flaws two months ago, giving the firm time to deliver fixes before publishing.

“Sophos did allocate some resources to resolve the issues discussed, however they were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher,” he wrote.

Sophos has disputed these claims.

“As a security company, keeping customers safe is Sophos's primary responsibility,” a company representative wrote on its Naked Security blog.

Sophos also outlined when it had received notification from Ormandy about flaws, and the dates at which it had rolled out fixes.

“Ormandy has provided examples of other malformed files which can cause the Sophos anti-virus engine to halt - these are being examined by Sophos experts. Sophos has seen no evidence of this occurring in the wild,” the Sophos blogger added.

Ormandy said Sophos' slow response indicated it was ill-equipped to protect customers' vital systems.

"Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit," he wrote.

This is not the first time Ormandy has trashed Sophos' security. Back in 2011, he published a paper accusing the firm of using weak encryption techniques and poor malware signature detection.

Hostilities first started in 2010, when Sophos spokesman Graham Cluley attached Ormandy for publishing details of a Windows XP vulnerability without giving Microsoft enough time to devise a fix.

These days, relations seem a little better – at least on the surface.

“On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach,” Sophos wrote about Ormandy's latest disclosures.