Tavis Ormandy, an information security engineer at Google and a security researcher, has published his findings in a paper titled "Sophail: Applied attacks against Sophos Antivirus". Ormandy, who performed the research in his spare time, has highlighted quite a few vulnerabilities spanning the AV code that is responsible for parsing VB6, CAB, RAR and PDF files.
The researcher claims that some of the vulnerabilities can be used to run arbitrary code on vulnerable systems and that too by exploiting those remotely. Ormandy, who has claimed that his employer has nothing to do with the research, has included an exploit for PDF parsing vulnerability as proof of concept which has been built for Mac systems. The Windows and Linux versions of the Sophos Antivirus are equally vulnerable.
The proof of concept exploit doesn’t require any human intervention and can be triggered by simply receiving an email in Outlook or Mail.app as the antivirus intercepts I/O operations automatically.
Another startling thing Ormandy has revealed is about a component dubbed "Buffer Overflow Protection System" (BOPS) that comes bundled with the antivirus. BOPS disables the ASLR (address space layout randomization), which is one of the security mechanism of latest Windows operating systems, thereby rendering the operating system vulnerable.
Ormandy has advised organizations not to install Sophos’ antivirus software on critical systems up until the antivirus company gets its act right and improves its security response and quality assurance practices along with its product development processes.
Sophos has already patched some of the vulnerabilities that have been highlighted by Ormandy as he shared his findings with the antivirus company earlier before the public disclosure.