It’s not often that a major software vendor gets hit with two major blows in the same month – but that’s exactly what happened to security firm Sophos recently.
Sophos antivirus issue #1
Back in September, Sophos released an update to its antivirus software that caused the program to classify a malware definition update as malware by mistake.
The update, other critical files, and in some cases, custom-built business applications were quarantined, which caused mayhem. System admins were bombarded with email alerts caused by the false positives and many companies saw critical business functions grind to a halt.
Sophos issued a fix within half a day, but the damage to their customers’ systems had already been done.
To add insult to injury, IT workers had to visit each workstation individually in order to remedy the situation because Sophos’ Enterprise Console doesn’t allow you to remove items from quarantine remotely.
Sophos antivirus issue #2
Around the same time, Tavis Ormandy, who’s an information security engineer at Google by day and an independent security researcher by night, alerted Sophos that he’d found a number of critical flaws in the Windows, Linux and Mac OS X builds of their antivirus software.
Ormandy publicized his findings earlier this week. Sophos responded by saying it fixed almost all of the vulnerabilities Ormandy uncovered within weeks of receiving the information. The company also said the last remaining bug will be fixed by the end of November and insisted none of the vulnerabilities have been exploited in the wild.
Despite this, Ormandy cautions against using Sophos antivirus. In his report, he calls into question the firms ability to respond quickly to future attacks as well as the quality of its code and its quality assurance testing. In fact, he recommends “Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient.”
Ormandy offers the following advice to Sophos users:
- Implement and test contingency plans in case you’re attacked because Sophos won’t be able to help you stop a network intrusion for some time
- Do not install Sophos antivirus products on “high-security, critical, or high-value” systems, and
- Only ever install Sophos products on devices that can be updated easily since the large number of vulnerabilities present in the Sophos codebase means that regular patching is a necessity.
There’s a lesson in all of this for IT managers: Security applications get released with critical flaws just like any other type of software. To keep your network safe, treat it like any other application you install: Make sure it’s patched and up-to-date at all times and included when you test for system vulnerabilities.