Sophos Vulnerability

A critical, remotely exploitable vulnerability has been identified in various Sophos Anti-Virus products. The list of products affected is fairly large and covers everything from desktop Anti-Virus scanners over PureMessage to MailMonitor for SMTP and Exchange.

The vulnerability can be exploited by crafting a special CAB (Microsoft Cabinet) file with invalid folder count values in the header. This can result in corruption of heap memory which can further lead to execution of arbitrary code on the target machine.

This requires that the inspection of CAB files is enabled, which will certainly be the case, at least on e-mail gateways (so this is a special warning for users of PureMessage and MailMonitor packages).

The Sophos advisory and details about updates are available at:

http://www.sophos.com/support/knowledgebase/article/4934.html
http://isc.sans.org/diary.php?storyid=1325

This message was brought to you by the Applied Security Task Force.  Contact us at:  safecomputing@ucla.edu.