Tavis Ormandy, one of Google’s security experts, claimed he revealed a few serious security vulnerabilities in Sophos Antivirus, so it shouldn’t be used at important computer systems. The security expert claims that Sophos makes easy mistakes and fails to issue patches quickly. He published a report where several flaws were mentioned that were caused by the company’s poor development practices and coding standards. Sophos didn’t respond fast enough to his warning, which only made things worse.
For instance, it turned out that Sophos’ on-access scanner could be used to launch a worm by targeting a firm receiving an attack email through Outlook. The vulnerabilities were all tested on a Mac, but the expert believes that wormable remote root can affect all platforms that run Sophos.
Tavis Ormandy made a conclusion that users who install Sophos Antivirus expose their computers to considerable risk. Unless Sophos doesn’t improve its security in the nearest future, its deployment may cause considerable risk to global networks and infrastructure. Ormandy pointed out that he gave Sophos 2 months to address the problem before he published the report.
Of course, Sophos was not happy about 30-pages report saying that it fails to do its job. It replied that lots of flaws had been fixed and the company hadn’t seen the fixed flaws being exploited in the wild. Sophos announced the release of further fixes in the end of November. However, Sophos believes it would take half a year to release a patch that fixes a single line of code, while Ormandy says two months. The security expert admits that the company is working with good intentions, but is still ill-equipped to address the flaws he alone revealed in his spare time.