Patch/Configuration Management, Vulnerability Management

Customers warned of Sophos Ant-Virus flaw

Sophos warned customers this week of a newly discovered vulnerability in a number of its products.

The flaw exists in the products unpacking of Microsoft Cabinet (CAB) files "whereby a CAB file could be deliberately crafted to allow an attacker to execute arbitrary code on a vulnerable installation of Sophos Anti-Virus," according to the Sophos advisory.

The flaw exists on Sophos Anti-Virus products for Windows, Mac, UNIX and Linux.

Sophos said it had not yet seen malicious users target the flaw.

"Although theoretically a risk, Sophos has not seen any examples of malware attempting to employ this vulnerability. Furthermore, the vulnerability does not prevent Sophos' desktop on-access scanner from correctly detecting viruses (and preventing actual infection) which are unpacked from affected files, so the risks of infection are very small," warned the Sophos advisory.

The flaw only exists when cabinet file inspection is explicitly enabled, according to Sophos. Authentication is not required for the flaw, which could enable a malicious user to execute code onto a computer.

The vulnerability was discovered by an anonymous user and first reported by 3Com's Zero Day Initiative, according to vulnerability monitoring firm Secunia.

TippingPoint customers received a digital vaccine for the flaw in mid-March, according to the Zero Day Initiative site. The flaw was reported to Sophos on March 20.

The SANS Internet Storm Center warned users today that "the list of products affected is pretty big and covers everything from the desktop Anti-Virus scanners over PureMessage for SMTP and Exchange."

The flaw can be exploited by creating a special CAB file with invalid file counts in the header, according to SANS.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.