In 2014, another security researcher named Joxean Koret found dozens of remotely and locally exploitable vulnerabilities in 14 different antivirus engines.
There's a general push from developers to limit the privileges of software applications in order to make exploitation of potential vulnerabilities harder. However, that's difficult to do for antivirus products, because they need the highest possible privileges in order to effectively detect, block or clean potential threats.
Compared to many other applications, antivirus products also have a large attack surface, as they need to parse many file types and code written in different languages that are received from a variety of sources, including the Web and email. Historically, input and file parsing operations have been a source of many vulnerabilities.
Sign up for CIO Asia eNewsletters.