A number of recently discovered flaws in antivirus software from Sophos highlight the importance of upholding secure development standards, according to researcher Tavis Ormandy.
The vulnerabilities could allow an attacker to gain control of the system, escalate privileges or cause a denial-of-service condition, according to a report from the U.S. Computer Emergency Readiness Team (US-CERT). Sophos has patched seven of the vulnerabilities, which affected versions of the software on Windows, Mac and Linux platforms, as well as the vendor’s software development toolkit for OEM partners, InformationWeek reported. The company said in a blog post that it has not encountered any instances of exploits occurring in the wild and applauded Ormandy for responsible disclosure of the discovery.
Ormandy, a security researcher at Google who reverse-engineered the software in his spare time, found eight previously undocumented vulnerabilities. Several of these stemmed from the way the Sophos application scans different file types, including PDFs and files compiled in Visual Basic 6. Others impacted the way the program interacts with features in other software such as Internet Explorer’s Protected Mode and ASLR on Windows Vista and later versions. The one bug that remains unfixed is one in which the Sophos engine halts while scanning malformed files.
Need for secure development
In a research paper detailing the coding issues, Ormandy said the vulnerabilities were particularly troubling due to the fact they occurred in software that is designed to protect users from an attack. To prevent a damaging loss of credibility and minimize the risk of such problems in the future, Sophos may need to revise its coding process to place more of an emphasis on security, Ormandy said.
“By design, antivirus products introduce a vast attack surface to a hostile environment,” he wrote. “The vendors of these products have a responsibility to uphold the highest secure development standards possible to minimize the potential for harm caused by their software.”
A development process that uses source code analysis to improve code design and limit errors could help developers avoid the type of issues Sophos encountered. Ormandy noted that “many of the vulnerabilities … could have been severely limited by correct security design.”
Companies can take this occurrence as a recommendation that they take steps to ensure software security in their development process and avoid the potential reputation damage that such exploits can cause.