All the latest UK technology news, reviews and analysis


Google researcher warns firms not to use Sophos AV for mission-critical systems

07 Nov 2012
security risk management

A Google security researcher has warned businesses that have deployed anti-virus tools from Sophos software that they may be less secure than they thought, having uncovered flaws with posed “significant risk to global networks and infrastructure”.

Tavis Ormandy, who published his findings independently, said the scale of the problem with multiple memory corruption and product design flaws means firms should seriously question whether Sophos' security products were suitable to mission-critical systems.

“Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient,” he wrote, discussing his findings.

Ormandy said he had warned Sophos about the flaws two months ago, giving the firm time to deliver fixes before publishing.

“Sophos did allocate some resources to resolve the issues discussed, however they were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher,” he wrote.

Sophos has disputed these claims.

“As a security company, keeping customers safe is Sophos's primary responsibility,” a company representative wrote on its Naked Security blog.

Sophos also outlined when it had received notification from Ormandy about flaws, and the dates at which it had rolled out fixes.

“Ormandy has provided examples of other malformed files which can cause the Sophos anti-virus engine to halt - these are being examined by Sophos experts. Sophos has seen no evidence of this occurring in the wild,” the Sophos blogger added.

Ormandy said Sophos' slow response indicated it was ill-equipped to protect customers' vital systems.

"Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit," he wrote.

This is not the first time Ormandy has trashed Sophos' security. Back in 2011, he published a paper accusing the firm of using weak encryption techniques and poor malware signature detection.

Hostilities first started in 2010, when Sophos spokesman Graham Cluley attached Ormandy for publishing details of a Windows XP vulnerability without giving Microsoft enough time to devise a fix.

These days, relations seem a little better – at least on the surface.

“On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach,” Sophos wrote about Ormandy's latest disclosures.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 10 poll

What are your first impressions of Windows 10?
12%
5%
10%
3%
19%
3%
48%

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Contract ASP.NET Developer

You will experience: Working within an AGILE environment...

C# Developer for small software house. Great Learning Opportunity

Small software house in the southwest. Great living conditions...

Junior Database & Application Developer

35 hours per week 1 year fixed term contract...

Systems Analyst

Our Client is a fast growing service provider in the...
To send to more than one email address, simply separate each address with a comma.