We are aware of a security risk only affects the initial installation of the endpoint protection for Mac. Once it is successfully installed there is no further risk.
There is a very narrow window of opportunity for an attacker to inject a program into the installation package and run it with elevated privileges on a macOS (OS/X) system. This opportunity exists only when the user is being prompted for their administrative credentials during initial installation. The injection cannot occur before the installer has been run or before the prompt, as the Sophos installer performs a self-check to mitigate against this type of attack. Only an attack while the prompt is displayed can be successful using this injection technique. Successful exploitation requires the attacker to be running their malicious code on the system prior to the user launching the Sophos installer.
This vulnerability will be addressed in an update in the last quarter of 2017. The following sections are covered:
Applies to the following Sophos products and versions Sophos HomeSophos Anti-Virus for Mac Home EditionSophos Anti-Virus for Mac OS XSophos Cloud Managed Endpoint 9.6.3 (Mac)
An effective mitigation against this attack is to install using the command line. Secure the installation package first against tampering by unauthorized users then verify if it is a legitimate version of the installer.
sudo su -
chown -R root:wheel Sophos\ Installer.app chmod -R a-w Sophos\ Installer.app
codesign -v Sophos\ Installer.app ; echo $?
Sophos\ Installer.app/Contents/MacOS/tools/InstallationDeployer --install
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.