Security expert Tavis Ormandy has revealed critical security vulnerabilities in Sophos anti-virus software. This includes the publication of a proof of concept (PoC) for a root exploit for Sophos 8.0.6 for Mac OS X, which utilizes a stack buffer overflow when searching through PDF files. The vulnerability is also likely to affect Linux and Windows versions. Ormandy has published a full analysis on the SecLists.org security mailing list newsletter. A module for the Metasploit penetration testing software is now also available.

According to information from Sophos, the security deficits listed have been fixed since 5 November and the anti-virus company is not aware of any of the vulnerabilities having been exploited in the wild. Sophos also expressly thanks Ormandy for his work and for exercising responsibility when disclosing the problems. The complete list of bugs identified by Ormandy will, it says, be fixed by 28 November at the latest.

Ormandy's paperPDF on security deficits in Sophos software is particularly critical of the product's approach to address space layout randomization (ASLR). The paper also describes the ability to use PDF file encryption to trigger a stack buffer overflow, allowing an attacker to use a crafted URL or email to execute malicious code on an affected computer.

Ormandy works as a Security Engineer for Google and stresses that this publication has nothing to do with his employer. He was the subject of some criticism in 2010 after publishing details of a zero day vulnerability in Windows XP and Windows Server 2003 before Microsoft had released a patch.