Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

TWSL2016-003: Sophos Anti-Virus Mac OS X Version Update File Unlinking Vulnerability

While researching inter-process communication on Mac OS X, I found a small security issue with Sophos Anti-Virus for Mac: any local user can remove arbitrary files on the system via the Update functionality of the product. This specific issue was found on version 9.2.9.

I started by listing all Sophos processes on my MacBook:


All except GUI run as root and are unsandboxed! Looking into the details of SophosAutoUpdate binary I stumbled upon this code snippet:

int _al_ipc_callback() {

It turns out that any local user can trigger this code path by executing /usr/local/bin/ SophosUpdate binary or via GUI applet AND ownership of .com.sophos.sau.lock is not verified.

So if some user creates a symbolic link to some sensitive file owned by a privileged user, it will be deleted during the update procedure since the process doing deletion (unlinking) runs as root and is not sandboxed. Trustwave security advisory has proof-of-concept code that removes root-owned file via this vulnerability.

Trustwave reported this issue back to vendor and an update (9.2.10) is available for download.

For more information please see the Trustwave security advisory: