According to Google Information Security Engineer Tavis Ormandy’s report, “Sophail: Applied attacks against Sophos Antivirus,” Sophos’ antivirus should not be used on environments that host sensitive information and should only be used at low-value non-critical systems.
Sophos prides itself in the fact that their products are used in healthcare, government, finance and even the military, but Ormandy’s report stated that what Sophos offers is vulnerable to attacks.
“[I]nstalling Sophos Antivirus exposes machines to considerable risk,” the report stated. “If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure.”
Sophos was given a copy of the report before it was publicly published and they were quick to address the issues Ormandy raised though they stated that they found “no evidence of this vulnerability being exploited in the wild,” on every issue raised. They even commended Ormandy’s report, stating it was “responsible disclosure,”
“The work of Tavis Ormandy, and others like him in the research community, who choose to work alongside security companies, can significantly strengthen software products,” Sophos stated on their blog post. “On behalf of its partners and customers, Sophos appreciates Tavis Ormandy’s efforts and responsible approach.”
Still, the security engineer wasn’t pleased with what Sophos has done to the antivirus and insisted that if the security company cannot fix a simple vulnerability, then their product should not be used in security sensitive environments..
“From this interaction we can conclude that for the simplest vulnerabilities, Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit. Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency plans to handle this scenario if you choose to continue deploying Sophos,” Ormandy wrote.
Ormandy and Sophos already had a previous encounter wherein the security company called him out for publicly disclosing their findings on Microsoft’s security flaws just five days after the software company was given a copy of his report. Ormandy justified his actions as something that the public should know about but Sophos pointed out that five days isn’t enough time to fix the security issues.