Does Sophos protect against any exploits which utilize vulnerabilities in unsupported OSs?

Question

Since I am still running 10.8 and booting occasionally to 10.6, both of which are no longer supported by Apple, I would like to know if Sophos can protect against any exploits utilizing any of the unpatched vulnerabilities present in these OSs? 
 I realize that Sophos can not by itself patch OS vulnerabilities, that's up to Apple. But does Sophos protect against any exploits made possible by way of these vulnerabilities in unsupported OSs? Or does Sophos, regardless of the OS, protect only against known, cataloged malware (trojans) and adware?

bobcook · Accepted Answer

Let's cover the NTP exploit first. For anyone else following along, go read the original article first. Thank you. Ok this vulnerability allows a remote attacker to send your computer malformed packets that cause the receiver to execute the attacker's code rather than what it was supposed to run. These definitely are terrible, and its not just NTP that is vulnerable - any process which parses unknown / untrusted input is potentially open to such an attack. We spend a lot of time and effort to ensure our code isn't subject to this type of an attack. If the software under attack was a web browser then our existing solution is going to provide a layer of protection (that is why Web Protection exists). 
 But we don't currently filter all of the network traffic , so we are not going to see the initial attack against the NTP protocol. The exploited process would then be able to start doing things on your computer, and (depending on the attack itself) we may be able to detect and block it via the filesystem scanner, if the exploit tries to write new files or modify existing files on disk. Surprisingly that is common, as the exploited software would normally disappear as soon as you reboot. In order to get a foothold, malicious software tends to write files to disk in order to get restarted on boot. 
 That is a very complicated way to say it depends on the attack . 
 The Shellshock exploits are generally easier for us to detect at the client side with our existing technologies, as the delivery mechanism tends to be web browsers and through the filesystem e.g. sharing USB keys. But similar to the NTP exploits, we don't filter all of the network traffic we don't see incoming DHCP packets (just using the example from the article) nor would we protect an HTTP server you ran on your Mac (we filter web browsers, not web servers). 
 In regards to the specific question of does Sophos take up any of the slack that Apple ignores the answer is very difficult to say, as mentioned previously we don't categorize what we detect / block by whether it targets new or old versions of OS X. Its easier to say that we are actively detecting / blocking threats that are known and recognized, regardless how old they are. That is unlikely to be a satisfying answer, but there isn't a general answer to such a broad question. Sorry.

bobcook · Answer

The current product technology for file scanning and web filtering provides protection against known exploits actively in use in the wild. Such exploits we detect and block may or may not be applicable on older versions of OS X. I don't have an easy way to find out, as we don't categorize threats by OS version. 
 
I don't think its possible for any product to guarantee protection against unknown exploits for any version of OS X (despite any marketing claims). 
 
The real risk (the root of your question) is the existence of an exploit that is used in the wild, but only against a very small number of targets. This increases the chance that such an exploitation will never hit the radar of security researchers nor does it trip any existing detection technology. Its unknown how to answer such a question with absolute certainty, so instead you have to consider the possibility of the existence of unknown exploits. 
 
Given that Apple stopped supporting, and presumably has stopped testing these older versions of OS X, the chance of unknown exploits being discovered (and used by bad actors) is likely somewhat higher. How high? Hard to say, but by past experience the risk is not very much higher than the supported versions of OS X. Can't guarantee it though - only Apple could do that, and seems unlikely they will say much on the topic. 
 
Hope that helps.