Ormandy claims that Sophos needs to avoid easy mistakes and issue patches faster.
In a 30-page analysis with the catchy title “Sophail: Applied attacks against Sophos Antivirus“, he listed several flaws “caused by poor development practices and coding standards”. Sophos made matters worse by not responding quickly enough to the warning he had working exploits for those flaws.
For example Sophos’ on-access scanner could be used to launch a worm by targeting a company receiving an attack email via Outlook, he claimed.
He tested all this on a Mac, but believes that the “wormable, pre-authentication, zero-interaction, remote root” affected all platforms running Sophos.
Ormandy’s conclusion was that installing Sophos Antivirus exposes machines to considerable risk. If Sophos does not urgently improve its security, its continued deployment causes significant risk to global networks and infrastructure.
He said that he gave Sophos two months to fix the flaws before he published.
Needless to say Sophos was a little miffed. Writing in its bog it said that the bulk of vulnerabilities had been fixed and that the company had not seen the fixed flaws being exploited in the wild. It plans on releasing further fixes on November 28.
But it appears that Ormandy and Sophos disagree about how long it should take to fix problems.
Sophos estimated it would take six months to produce a patch that involved fixing a “single line of code” after Ormandy had a few words it agreed to two months.
Ormandy said that Sophos was “working with good intentions” but “ill-equipped to handle the output of one co-operative security researcher working in his spare time”.