Sophos hit by security vulnerability

After years of making comments about third-party security issues, Sophos has found its own products are subject to a security vulnerability.

Ordinarily I'd be amused at this turn of events, especially since the company is red hot when it comes to issuing press releases about third party security issues, but since it affects real users, I'll hold back from making sarcy comments.

That's not like you Steve -Ed

Apparently, the vulnerability relates to the way in which Sophos' IT security software handles Microsoft cabinet files (CAB).

According to the SANS Institute, the problem can, under certain circumstances, allow the PC hosting the Sophos software to be remotely controlled. This is, says the institute, a potentially critical security problem.

The vulnerability, says the Institute, can be exploited by creating a special CAB file with invalid folder count values in the header. This can result in the corruption of heap memory, so allowing a hacker to execute arbitrary code on the compromised system.

Sophos has responded to the Institute's warning by saying it isn't aware of any instances of the flaw being exploited by hackers so far, but has fixed the problem.

Products affected by the flaw are said to include Sophos' desktop anti-virus software and its e-mail gateway security packages...