I'd count myself amongst the last people to defend Sophos, but it does seem irresponsible that an engineer employed by Google would give only 5 days notice about a critical bug before releasing an exploit.
A security researcher has discovered embarrassing and critical vulnerabilities in Sophos' enterprise protection software. Tavis Ormandy, an information security engineer at Google, published a paper along with example attack code to highlight flaws present in Windows, Linux and Mac OS X builds of Sophos' antivirus product. …
I would suggest a more careful read of the article, in particular this sentence:
> Ormandy reported the vulnerabilities to Sophos on 10 September.
That's rather more than 5 days,
Better to test a product in house ...
before sale rather than wait for people to report defects.
Who does Sophos think they are? Microsoft?
Onel de Guzman
Point of order. Onel de Guzman, creator of the Love Bug, did his dastardly deed back in 2000 - ten years before the Naked Security blog was written. So we wouldn't have that many articles about him other than the odd retrospective piece. :)
The QA at Sophos has been poor in the last year. Two major problems caused by Sophos. The only plus was that they communicated constantly during the last problem, though that only goes so far since it's the second problem they've caused for us. I can't say I was a huge fan of McAfee when my organization used them but after these Sophos issues I am ready to look at other options.
OK, so he picked on Sophos
If he'd picked some other AV vendor what's to say he wouldn't have found something similar? You can only compare products if you test them the same way.
Like the Murphy's, they're not bitter...
Definitely a bit of a spat...
Sophos are pretty terrible
Their last balls up over a month ago is still causing us problems with machines today.
They completely and royally screwed up, released code that killed it's own auto-updater and many others which stopped it working properly. Their initial response actually caused even more damage with their suggestion and they kept saying they were throwing their resources at it but as their support staff finished their 8hour shift and handed over many Network admins we into their 12+ hour shift trying to sort it out.
The explanation showed that the problem passed successfully through 5 separate QA systems that all should have picked it up and didn't.
How much compensation have they offered? Nothing!
Re: Sophos are pretty terrible
As far as I am concerned, I wouldn't use that buggy Sophos crap if I had free access to it, which I do.
Fail all round
Sophos for their buggy software, Google bloke for doing the typical security researcher irresponsible attention seeking teenagerish behaviour pattern BS.
Nobody is addressing the REAL issue, here.
It's "Antivirus's" dammit!
Re: Nobody is addressing the REAL issue, here.
Perhaps, but I think we should go for a more nuanced, educational approach:
Not the only one with problems
Symantec have not been that good at detecting one of the Rimecud variants.
Everything else I run over it can find it.
Thank goodness for Stinger on company machines you can't install your own software on.