Signature Detail
Short Name |
HTTP:STC:DL:SOPHOS-MAL-VISIO |
|---|---|
Severity |
Critical |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Sophos Anti-Virus Malicious Visio File Attack |
Release Date |
2010/09/05 |
Update Number |
1768 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: Sophos Anti-Virus Malicious Visio File Attack
This signature detects attempts to exploit a known vulnerability in Sophos Anti-Virus. Sophos is vulnerable to a signed integer overflow. If a malformed Microsoft Visio file is scanned for viruses by Sophos AV, the Sophos process could be taken over and arbitrary code executed as SYSTEM. Microsoft Visio does not need to be installed in order to exploit Sophos AV in this manner. Because of the complexity of Visio files, it is possible this signature can false positive and therefore should only be used in Internet-facing policies.
Extended Description
A remote heap overflow vulnerability exists in Sophos Anti-Virus Library when scanning Visio files. This issue is due to a failure of the library to properly bounds check user-supplied input prior to copying data to an internal memory buffer.
Affected Products
- 4D WebSTAR 5.1.2
- Sophos Anti-Virus 3.4.6
- Sophos Anti-Virus 3.78.0
- Sophos Anti-Virus 3.78.0 d
- Sophos Anti-Virus 3.79.0
- Sophos Anti-Virus 3.80.0
- Sophos Anti-Virus 3.81.0
- Sophos Anti-Virus 3.82.0
- Sophos Anti-Virus 3.83.0
- Sophos Anti-Virus 3.84.0
- Sophos Anti-Virus 3.85.0
- Sophos Anti-Virus 3.86.0
- Sophos Anti-Virus 3.90.0
- Sophos Anti-Virus 3.91.0
- Sophos Anti-Virus 3.95.0
- Sophos Anti-Virus 4.5.3
- Sophos Anti-Virus 5.0.1
- Sophos Anti-Virus 5.0.4
References