For those of you who might not know who Tavis Ormandy is, you might have heard about his name back in June 2010. At that time, he published his research about a vulnerability and PoC code on how to exploit the Microsoft Help and Support Center application that could be exploited on Microsoft Windows XPSP3 with Internet Explorer 6,7 or 8 (CVE-2010-1885). After the disclosure the vulnerability was rapidly introduced into Metasploit framework and some controversy was made around his responsible disclosure approach. Microsoft released a patch for this vulnerability on 13th July 2010. Additional research was made using this vulnerability and results were found on how to bypass AV due to the fact the vendor’s products allowed the execution of code before detecting the malware. This resulted in CVE-2010-3496, CVE-2010-3497, CVE-2010-3498 and CVE-2010-3499 affecting McAfee, Symantec, AVG and F-Secure respectively. Other than that Tavis Ormandy has more than 120 vulnerabilities disclosed between 2004 and 2010.
Conversely, what I wanted to mention here is that he just recently published the second part of a great research about the Sophos AV. The first paper released on this topic named “Sophail: A Critical Analysis of Sophos Antivirus” can be found here. On this second part, you can find very technical detailed explanation and detailed analysis on how typical Sophos antivirus deployments are exposed to several attacks like integer overflow, local privileged escalation, XSS and many others. A summary of the vulnerabilities can be found on Sophos website. The vulnerabilities found affect the latest version of Sophos at the time of the published paper. If you are using Sophos you should consider patching it.
One thing to note other than this great research it’s the good cooperation and collaboration that was done between Tavis and Sophos to release this information in a responsible approach. Further details and a timeline of the events can be looked at section six of the document. According to Sophos the majority of the vulnerabilities have been addressed. The ones still not fixed, a patch is expected to be released on 28th November.
Count Upon Security 