Executive Summary

Title Sophos Antivirus contains multiple vulnerabilities
Name VU#662243 First vendor Publication 2012-11-05
Vendor VU-CERT Last vendor Modification 2012-11-06
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#662243

Sophos Antivirus contains multiple vulnerabilities

Original Release date: 05 Nov 2012 | Last revised: 06 Nov 2012


Sophos Antivirus contains multiple vulnerabilities including memory corruption issues and design flaws.


Sophos Antivirus contains multiple vulnerabilities including memory corruption issues and design flaws. Tavis Ormandy's security report lists the following vulnerabilities. These vulnerabilities are new and separate from Tavis' 2011 report entitled "Sophail: A Critical Analysis of Sophos Antivirus." [PDF] Additional details are available in Tavis Ormandy's full report entitled, "Sophail: Applied attacks against Sophos Antivirus." [PDF] A response from Sophos has been posted to their blog: "Sophos products and Tavis Ormandy."

Integer overflow parsing Visual Basic 6 controls
Visual Basic 6 executables include metadata for GUIDs, Names, Paths, etc. Sophos Antivirus extracts some of this metadata when it finds a VB6 executable. The validation code for this metadata is inconsistent so there exists an integer overflow vulnerability that may lead to a heap overflow exploit.

sophos_detoured_x64.dll ASLR bypass
Sophos Antivirus comes with a buffer overrun protection feature called "BOPS." This feature is meant to provide an ASLR-like implementation for Windows XP. The feature is implemented by using AppInit_DLLs to force most processes to load sophos_detoured_x64.dll. This DLL file does not support ASLR, which results in the DLL file being loaded at a static address. This DLL can then be used in return-oriented programming exploits to bypass ASLR on Windows Vista and Windows 7.

Internet Explorer protected mode is effectively disabled by Sophos
Sophos Antivirus installs a Layered Service Provider (LSP) into Internet Explorer that loads DLL files from low integrity writable directories. This feature results in effectively disabling Internet Explorer's protected mode.

Universal XSS
The template for the LSP block page contains a Universal XSS vulnerability. A Universal XSS vulnerability effectively disables the "Same Origin Policy" in a web browser that results in a malicious website being able to interact with web browser data across web sites.

Memory corruption vulnerability in Microsoft CAB parsers
The SARCcabSTart() function allocates a fixed-size 32768 byte buffer to store the contents of CFDATA structures. The CFDATA structure is a 16-bit size field that can hold 2^16 - 1 bytes but the fixed buffer size is only 2^15. Vulnerabilities that result in memory corruption controlled by an attacker are exploitable.

RAR virtual machine standard filters memory corruption
RAR decompression includes a bytecode interpreting VM. The VM_STANDARD opcode takes a filter as an operand. Sophos Antivirus does not correctly handle these filters causing memory corruption.

Privilege escalation through network update service
Sophos Antivirus includes a network update service that runs with NT AUTHORITY\SYSTEM privileges. The service loads modules from a directory that is world-writable. A specifically crafted DLL file can be placed in the world-writable directory and it will be loaded by the update service with SYSTEM privileges.

Stack buffer overflow decrypting PDF files
Sophos Antivirus attempts to parse encrypted revision 3 PDF files by reading the encryption key contents onto a fixed length stack buffer of 5 bytes. A specifically crafted PDF file with the Length attribute greater than 5*8 will cause a buffer overflow.


An attacker may be able to gain control of the system, escalate privileges, or cause a denial-of-service condition.


Apply an Update

Sophos has released patches to address these vulnerabilities. Sophos customers should acquire the patches through their usual support channels.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Sophos, Inc.Affected-10 Oct 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • https://lock.cmpxchg8b.com/sophailv2.pdf
  • http://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/
  • http://lists.grok.org.uk/pipermail/full-disclosure/2012-November/088813.html


Thanks to Tavis Ormandy for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs:Unknown
  • Date Public:05 Nov 2012
  • Date First Published:05 Nov 2012
  • Date Last Updated:06 Nov 2012
  • Document Revision:38


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/662243

Alert History

If you want to see full details history, please login or register.
Date Informations
2014-02-17 12:08:05
  • Multiple Updates
2013-11-11 12:41:42
  • Multiple Updates
2012-11-29 21:20:27
  • Multiple Updates