Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1241 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Version 9 vulnerabilities - Article ID: 118424 (Tavis Ormandy)

Surry

In the article 118424 there is a number of vulnerabilities listed which affect version 9 of sophos. All but one of these state they are fixed in version 9.x.

The one which doesn't, is in relation to the sophos_detoured_x64.dll ASLR bypass vulnerability, which states it affects 9.X and 10.X however Fixed in version only lists version 10.X products.

Based on this I beliieve customers running the latest version 9.X of sophos are subject to this vulnerability and if so are there any plans to release an update to version 9 to resolve this? I realise there is the option to disable detours at an OS level but is this the only option to mitigate this vulnerability for customers running version 9?

For completeness, I am running Windows 7 x64, with Sophos AV 9.77, Detection Engine 3.37.2.

Many Thanks in advance

:35213


This thread was automatically locked due to age.
Parents
  • 0
    QC wrote:

    Hello Surry,

    what's the reason you stay on 9.x which, as far as I understand, is already in the Extended Maintenance phase?

    Christian

    Christian,

    Deployment of version 10 is on our radar but certainly isn't imminent, and as with any large deployment (many thousands of client PCs)  the appropraite planning and testing needs to be completed before we roll out version 10.  Our response to these vulnerabilities needs to happen before this planning is complete.

    As i'm sure you will agree rushing into the deployment of a new product which is fundamental to security in response to vulnerabilities in a product would not be a good place to be. We made a decision to stay on version 9 currently, based around sophos product lifecycle documentation here which states product vulnerabilities would be addressed whilst it is extended maintenance.

    My question is in line with this product lifecycle when will sophos address this issue for version 9.X customers.

    Many Thanks

    :35239
Reply
  • 0
    QC wrote:

    Hello Surry,

    what's the reason you stay on 9.x which, as far as I understand, is already in the Extended Maintenance phase?

    Christian

    Christian,

    Deployment of version 10 is on our radar but certainly isn't imminent, and as with any large deployment (many thousands of client PCs)  the appropraite planning and testing needs to be completed before we roll out version 10.  Our response to these vulnerabilities needs to happen before this planning is complete.

    As i'm sure you will agree rushing into the deployment of a new product which is fundamental to security in response to vulnerabilities in a product would not be a good place to be. We made a decision to stay on version 9 currently, based around sophos product lifecycle documentation here which states product vulnerabilities would be addressed whilst it is extended maintenance.

    My question is in line with this product lifecycle when will sophos address this issue for version 9.X customers.

    Many Thanks

    :35239
Children
No Data