A review of 17 major anti-virus engines and products has found dangerous local and remotely-exploitable vulnerabilities in 14 of them.
According to research by COSEINC and reported by the Register, the analysis also suggests that anti-virus companies fail by requiring overly extensive privileges, not signing product updates and delivering those over insecure HTTP, running excessive old code and not conducting proper source code reviews and fuzzing.
Anti-virus engines which were built in C led to vulnerabilities like buffer and integer overflows, installed operating system drivers that provided for local privilege escalation and supported a laundry list of file formats resulting in bugs within the respective parsers.
