Security expert Tavis Ormandy has revealed critical security vulnerabilities in Sophos anti-virus software. This includes the publishing of a proof of concept (PoC) for a root exploit for Sophos 8.0.6 for Mac OS X, which applies a stack buffer overflow when searching through PDF files. The vulnerability is as well likely to affect Linux and Windows versions.
Ormandy has released a full analysis on the SecLists.org security mailing list newsletter. A module for the Metasploit penetration testing software is now also available.
According to information from Sophos, the security deficits named have been patched since 5 November and the anti-virus company isn’t aware of any of the vulnerabilities having been exploited in the wild. Sophos also expressly thanks Ormandy for his work and for exercising responsibility when discovering the problems. The complete list of bugs identified by Ormandy will, it says, be fixed by 28 November at the latest.