Sophos continually improves the protection delivered by our products with regular updates, and we always recommend that customers upgrade to the latest version to get the best protection.
As a security company, keeping our customers safe is our primary responsibility. Improving protection is key but, we also continually improve the security of our own products, including working with independent security researchers to achieve this.
In this case, Sophos has been working with Tavis Ormandy, who approached Sophos with a number of vulnerabilities that he had discovered after examining our endpoint protection product.
Applies to the following Sophos product(s) and version(s) Differs per vulnerability. See tables below for details.
Sophos believes in responsible disclosure. We appreciate the help from Tavis Ormandy, and others like him in the research community, in working with us to make our products stronger and more secure. The specific vulnerabilities that he reported are:
More recently, Mr Ormandy provided examples of other specially crafted files (with no associated vulnerabilities) which would cause the Sophos Anti-Virus engine to behave unexpectedly if scanned. A new version of the Anti-Virus engine, to better handle these types of files, will begin rolling out to Sophos customers on November 28th 2012.
If you are using a Sophos gateway security product (i.e., PureMessage for UNIX, Sophos UTM, or a web/email appliance) we have released Sophos Anti-Virus version 4.83 to gateway security products to address all relevant vulnerabilities listed below. For details see article 118522.
Shown below is a table to quickly advise what minimum product version we recommend. Not only will this resolve all relevant vulnerabilities listed above, but also provides best protection.
†If you are running Sophos Anti-Virus for Windows 10.0.9 you have all fixes except for the Internet Explorer protected mode issue, which will be addressed in Sophos Anti-Virus for Windows 10.0.10 in early December. ‡9.x are 'Extended Maintenance' packages that are currently scheduled for phased roll-out in December.
If you have a gateway product you should check the engine version and ensure it matches the recommended:
If you have computers running Windows 2000/XP/2003/Vista/7/2008/2008 R2/8 and feel you are unable to upgrade to the recommended product, please contact Technical Support or your account manager to discuss ways to overcome the upgrade issues.
Ensure your Sophos Update Manager is subscribed to the software package labeled 'Recommended' as described in our article: Managing your software subscriptions in Enterprise Console.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.