This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does Sophos protect against any exploits which utilize vulnerabilities in unsupported OSs?

Since I am still running 10.8 and booting occasionally to 10.6, both of which are no longer supported by Apple, I would like to know if Sophos can protect against any exploits utilizing any of the unpatched vulnerabilities present in these OSs? 


I realize that Sophos can not by itself patch OS vulnerabilities, that's up to Apple. But does Sophos protect against any exploits made possible by way of these vulnerabilities in unsupported OSs? Or does Sophos, regardless of the OS, protect only against known, cataloged malware (trojans) and adware?



This thread was automatically locked due to age.
Parents
  • The current product technology for file scanning and web filtering provides protection against known exploits actively in use in the wild. Such exploits we detect and block may or may not be applicable on older versions of OS X. I don't have an easy way to find out, as we don't categorize threats by OS version.

    I don't think its possible for any product to guarantee protection against unknown exploits for any version of OS X (despite any marketing claims).

    The real risk (the root of your question) is the existence of an exploit that is used in the wild, but only against a very small number of targets. This increases the chance that such an exploitation will never hit the radar of security researchers nor does it trip any existing detection technology. Its unknown how to answer such a question with absolute certainty, so instead you have to consider the possibility of the existence of unknown exploits.

    Given that Apple stopped supporting, and presumably has stopped testing these older versions of OS X, the chance of unknown exploits being discovered (and used by bad actors) is likely somewhat higher. How high? Hard to say, but by past experience the risk is not very much higher than the supported versions of OS X. Can't guarantee it though - only Apple could do that, and seems unlikely they will say much on the topic.

    Hope that helps.

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • Follow up question then, can I take what you have said to mean that "exploits" are not narrowly defined by Sophos only if there are specific trojan (or adware) signatures, either by name or content?

    And, second, as examples only, since, when they were current, I quickly applied patches to my 10.6 for both of these from outside of Apple. (Currently running mainly 10.8,  also unsupported now. Still occasionally boot to 10.6.) But would Sophos have protected, or does it protect, against Shellshock http://www.zdnet.com/article/first-attacks-using-shellshock-bash-bug-discovered/

    Or against the NTP vulnerability

    http://www.zdnet.com/article/major-ntp-security-holes-appears-and-are-being-exploited/


    They issued patches for some OSs higher up, but Apple did nothing for 10.6 for either of these. Did (does) Sophos protect against any attacks based on either of these vulnerabilties found in the wild?


    Or is it possible for you to give an example of an exploit proceeding from an unpatched vulnerability for which Sophos does offer protection?

    >>"I don't think its possible for any product to guarantee protection against unknown exploits for any version of OS X (despite any marketing claims)."

    Yes, definitely, and not asking for that. Asking to what extent Sophos does protect against known exploits which issue from unpatched vulnerabilities. And yes, I am aware that some of this stuff is used in targeted attacks, especially by state actors against political adversaries, or for targeted corporate theft. Not generally worried about being the victim of one of those.


    Bottom line question, does Sophos take up any of the slack that Apple ignores?

  • Hi ,

    We've received your question and we'll get an answer to you next week. Have a great weekend!

    Bob
  • Let's cover the NTP exploit first. For anyone else following along, go read the original article first. Thank you. Ok this vulnerability allows a remote attacker to send your computer malformed packets that cause the receiver to execute the attacker's code rather than what it was supposed to run. These definitely are terrible, and its not just NTP that is vulnerable - any process which parses unknown / untrusted input is potentially open to such an attack. We spend a lot of time and effort to ensure our code isn't subject to this type of an attack. If the software under attack was a web browser then our existing solution is going to provide a layer of protection (that is why Web Protection exists).

    But we don't currently filter all of the network traffic, so we are not going to see the initial attack against the NTP protocol. The exploited process would then be able to start doing things on your computer, and (depending on the attack itself) we may be able to detect and block it via the filesystem scanner, if the exploit tries to write new files or modify existing files on disk. Surprisingly that is common, as the exploited software would normally disappear as soon as you reboot. In order to get a foothold, malicious software tends to write files to disk in order to get restarted on boot.

    That is a very complicated way to say it depends on the attack.

    The Shellshock exploits are generally easier for us to detect at the client side with our existing technologies, as the delivery mechanism tends to be web browsers and through the filesystem e.g. sharing USB keys. But similar to the NTP exploits, we don't filter all of the network traffic we don't see incoming DHCP packets (just using the example from the article) nor would we protect an HTTP server you ran on your Mac (we filter web browsers, not web servers).

    In regards to the specific question of does Sophos take up any of the slack that Apple ignores the answer is very difficult to say, as mentioned previously we don't categorize what we detect / block by whether it targets new or old versions of OS X. Its easier to say that we are actively detecting / blocking threats that are known and recognized, regardless how old they are. That is unlikely to be a satisfying answer, but there isn't a general answer to such a broad question. Sorry.

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

Reply
  • Let's cover the NTP exploit first. For anyone else following along, go read the original article first. Thank you. Ok this vulnerability allows a remote attacker to send your computer malformed packets that cause the receiver to execute the attacker's code rather than what it was supposed to run. These definitely are terrible, and its not just NTP that is vulnerable - any process which parses unknown / untrusted input is potentially open to such an attack. We spend a lot of time and effort to ensure our code isn't subject to this type of an attack. If the software under attack was a web browser then our existing solution is going to provide a layer of protection (that is why Web Protection exists).

    But we don't currently filter all of the network traffic, so we are not going to see the initial attack against the NTP protocol. The exploited process would then be able to start doing things on your computer, and (depending on the attack itself) we may be able to detect and block it via the filesystem scanner, if the exploit tries to write new files or modify existing files on disk. Surprisingly that is common, as the exploited software would normally disappear as soon as you reboot. In order to get a foothold, malicious software tends to write files to disk in order to get restarted on boot.

    That is a very complicated way to say it depends on the attack.

    The Shellshock exploits are generally easier for us to detect at the client side with our existing technologies, as the delivery mechanism tends to be web browsers and through the filesystem e.g. sharing USB keys. But similar to the NTP exploits, we don't filter all of the network traffic we don't see incoming DHCP packets (just using the example from the article) nor would we protect an HTTP server you ran on your Mac (we filter web browsers, not web servers).

    In regards to the specific question of does Sophos take up any of the slack that Apple ignores the answer is very difficult to say, as mentioned previously we don't categorize what we detect / block by whether it targets new or old versions of OS X. Its easier to say that we are actively detecting / blocking threats that are known and recognized, regardless how old they are. That is unlikely to be a satisfying answer, but there isn't a general answer to such a broad question. Sorry.

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

Children