Security solutions provider Sophos has addressed a number of vulnerabilities in its antivirus product. The issues were identified by security researcher Tavis Ormandy who contacted the company after examining the application.
One of the issues discovered by Ormandy was a remote code execution vulnerability that affected the way the antivirus engine scanned malformed Visual Basic 6 files.
Vulnerabilities were also caused because of the way .cab, .rar and .pdf files were handled.
Some relatively new technologies implemented in Microsoft operating systems also caused some issues. The interaction between the BOPS technology in Sophos Anti-Virus and ASLR on Windows Vista and later was a bit buggy.
The interaction between Internet Explorer’s protected mode and Sophos protection mechanisms were also problematic.
Finally, the classic cross-site scripting (XSS) flaw could not be left out. It was founds to plague the web protection and web control Layered Service Provider (LSP) block page.
All the vulnerabilities were addressed by Sophos with fixes rolled out in October 22 and November 5. Furthermore, there’s no evidence to indicate that any of the security holes has been exploited in the wild.
The researcher has also found other problems that can cause the antivirus engine to halt. They’re currently being investigated and if they check out, Sophos representatives state that fixes will be made available most likely starting with November 28.
Similar to other reputable companies, Sophos considers that keeping customers safe is a primary responsibility. They encourage researchers to practice responsible disclosure in order to help them in this task.
“Sophos believes in responsible disclosure. The work of Tavis Ormandy, and others like him in the research community, who choose to work alongside security companies, can significantly strengthen software products,” Sophos representatives wrote
“On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach.”