Multiple vulnerabilities in Sophos security software, plus an exploit for a flaw, have been disclosed by security researcher Tavis Ormandy.

The Google researcher said that security professionals should "exclude Sophos products from consideration for high value networks and assets" in a paper released on Monday.

"Installing Sophos anti-virus exposes machines to considerable risk. If Sophos do not urgently improve their security posture, their continued deployment causes significant risk to global networks and infrastructure," said Ormandy on the Full Disclosure mailing list. "A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease."

Ormandy told SC Magazine via Twitter on Monday that mitigation details for the outlined flaws were in the paper, but that people should still discontinue use of Sophos software for critical networks.

"I don't know what else to suggest sorry," said Ormandy.

Ormandy described a number of vulnerabilities in the paper, all of which apply to Windows, Mac, and Linux systems. The flaws affect third party routers, VPN gateways and corporate proxies licensed to use Sophos core software.

Ormandy gave examples of design problems in Sophos software which "require urgent attention from affected administrators", with deployment best practices.

In addition, the researcher outlined a working exploit for the Sophos on-access scanner using a PDF stack buffer overflow. Sophos started rolling out a fix for this flaw on Monday.

The researcher criticised Sophos on the grounds that the company "were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher."

"Sophos cannot react quickly to reports of vulnerabilities in their products, even when presented with working exploits," said Ormandy. "Should an attacker attempt to use Sophos as a conduit into your network, Sophos will not be able to react or help resolve the problem for some time."

Sophos said it had mitigated three of the issues in Ormandy's paper in October, and had started rolling out fixes for three of the flaws, in a blog post on Monday.

"As a security company, keeping customers safe is Sophos's primary responsibility," Sophos said in the blog. "As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible."