Antivirus firm Sophos has warned enterprises that, instead of protecting users, its products could hand control of systems over to hackers.

The vulnerability has apparently not yet been exploited, and many users will have already installed a patch from Sophos, but the vulnerability has been labelled "critical" by the SANS Internet StormCenter.

The problem is in the way in which Sophos' software handles Microsoft cabinet files (CAB), which are compressed collections of files. "The vulnerability can be exploited by crafting a special CAB file with invalid folder count values in the header," SANS said. This can result in the corruption of heap memory and allows the hacker to execute arbitrary code on the compromised system.

Ron O'Brien, senior security analyst at Sophos, downplayed the threat and said it only presented a theoretical risk. "We don't have any indication of anybody exploiting the vulnerability, so the impact in this case has been low," he said.

Several Sophos products are affected by the flaw, including its desktop antivirus software, its small business portfolio and its line of gateway security products, such as PureMessage and MailMonitor.

The flaw was disclosed to Sophos about a month ago by a French researcher. A patch was made available on April 28 and customers who have subscribed to Sophos' automatic update service would have automatically received it, O'Brien said.

Sophos did not publicly disclose the vulnerability until Monday, and did so then only because the French firm that first discovered it was planning to go public with the information, according to O'Brien.