Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1240 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Version 9 vulnerabilities - Article ID: 118424 (Tavis Ormandy)

Surry

In the article 118424 there is a number of vulnerabilities listed which affect version 9 of sophos. All but one of these state they are fixed in version 9.x.

The one which doesn't, is in relation to the sophos_detoured_x64.dll ASLR bypass vulnerability, which states it affects 9.X and 10.X however Fixed in version only lists version 10.X products.

Based on this I beliieve customers running the latest version 9.X of sophos are subject to this vulnerability and if so are there any plans to release an update to version 9 to resolve this? I realise there is the option to disable detours at an OS level but is this the only option to mitigate this vulnerability for customers running version 9?

For completeness, I am running Windows 7 x64, with Sophos AV 9.77, Detection Engine 3.37.2.

Many Thanks in advance

:35213


This thread was automatically locked due to age.
  • 0

    Hello Surry,

    what's the reason you stay on 9.x which, as far as I understand, is already in the Extended Maintenance phase?

    Christian

    :35223
  • 0
    QC wrote:

    Hello Surry,

    what's the reason you stay on 9.x which, as far as I understand, is already in the Extended Maintenance phase?

    Christian

    Christian,

    Deployment of version 10 is on our radar but certainly isn't imminent, and as with any large deployment (many thousands of client PCs)  the appropraite planning and testing needs to be completed before we roll out version 10.  Our response to these vulnerabilities needs to happen before this planning is complete.

    As i'm sure you will agree rushing into the deployment of a new product which is fundamental to security in response to vulnerabilities in a product would not be a good place to be. We made a decision to stay on version 9 currently, based around sophos product lifecycle documentation here which states product vulnerabilities would be addressed whilst it is extended maintenance.

    My question is in line with this product lifecycle when will sophos address this issue for version 9.X customers.

    Many Thanks

    :35239
  • 0

    Hello Surry,

    I've already forgotten what changed from 9.7 to 10.0 :smileywink:, the latter now out for slightly over one year. As there have been (significant) changes with the detours from 9.7 to 10.x it might harder to make the necessary changes in 9.x.

    Nevertheless you have certainly a point here. So let's see what Sophos says.

    Christian

    :35261
  • 0

    Hello Surry, Sophos is working on implementing the changes into 9.x , however there is always a risk when dealing with legacy code and we intend to ensure that when the release goes out it is stable and does not affect your infrastructure. We are aware that the majority of our customers who are on the extended maintenance packages are more interested in stability hence remaining on the older packages and are trying to ensure that we can fix this as fast and as safely as possible without introducing more risk to you.

    One point if you are still running windows XP on your estate and the ASLR is a concern for you, then you probably should push to upgrade your OS's to take advantage of this as well. Prior to Windows Vista ASLR was not implemented and the fix will not impact you. If you have any further questions (apart from can i have a date as i cannot answer that particular one) please ask. HTH.

    :35263