Research shows antivirus products vulnerable to attack
Google security researcher Tavis Ormandy has long been a pain to vendors of commercial software with significant bugs, which is to say all vendors of all commercial software.
Lately he has been on a tear finding truly shocking vulnerabilities in commercial Windows security suites, what most people call antivirus. The latest: "Comodo Internet Security installs and starts a VNC server by default," and does not restrict access to it. VNC is an open source remote control tool.
In fact, Ormandy is not claiming to have found this particular feature, which has been reported many times before. The VNC server is part of Comodo GeekBuddy, a tech support tool which Ormandy accuses of "...a number of questionable and shady tactics to encourage users to pay for online tech support." The server allows for local privilege escalation.
In a Packetstorm report from May on this same issue the server was noted as having no password(!), and that Comodo said a fix was forthcoming "with the v4.18.121 release in October 2014". Ormandy shows that Comodo's fix was to put a password on the server, but one which was predictable: "the first 8 characters of SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks)." Comodo reported to Ormandy that it issued a mandatory hotfix on February 10 and that 90%+ of users were updated, and so Ormandy disclosed the issue publicly.
Probably even more severe than the VNC server in Comodo Internet Security was the HTTP server Ormandy found in TrendMicro Antivirus on Windows in January. This allowed any web site visited by the user to launch a shell and arbitrary commands on the user's system.
In recent months he has also reported vulnerabilities in ESET NOD32, Kaspersky Antivirus (quote a few of these), Avast Antivirus, the FireEye MPS (Malware Protection System), AVG AntiVirus and MalwareBytes. He has also reported vulnerabilities in Adobe Flash, Wireshark, Google Chrome and Apple's iOS and OS X kernels.
Ormandy has a history of disclosing severe vulnerabilities and even releasing exploits in other companies' products, Microsoft in particular, with little or no warning to the vendor. In 2010 he released a zero-day exploit in Windows a few days after reporting it to Microsoft, one of many developments that led to Microsoft developing their Coordinated Vulnerability Disclosure program.
Based on his recent reports, however, Ormandy appears to be giving vendors more time to fix problems.