So how do they come up with what would be a hugely damaging statistic to the security industry as a whole, were it proven to be true?
Security consultant and cyber threats analyst Dancho Danchev reveals that the research cited by n.runs AG is based partly upon Secunia Advisory tracking specifically of anti-virus applications. There is also an element of research from the University of Michigan which looked at the severity of vulnerabilities product by product.
Worryingly, the figures look like having some basis in truth. Danchev quotes a research paper by Feng Xue that was presented at the Blackhat Europe forum earlier this year. "According to the U.S national vulnerability database, 165 vulnerabilities within antivirus products have been reported during the last 4 years" Danchev says.
n.runs AG, meanwhile, concludes that "The tests performed by the consulting company and solutions developer n.runs have indicated that every virus scanner currently on the market immediately revealed up to several highly critical vulnerabilities. Contrary to their actual function, the products open the door to attackers, enable them to penetrate company networks and infect them with destructive code. The positioning of anti-virus software in central areas of the company now poses an accordingly high security risk."
What is parsing and why is it at the heart of the anti-virus scanner security debate? Read on to find out...
The company lays most of the blame for this bizarre state of affairs, where the security solution has seemingly become part of the security problem, squarely at the door of parsing. "The principle functions as follows: virus scanners must recognise as many "Malware" applications as possible – and thereby comprehend and process a large number of file formats" n.runs AG says.
In other words, the more parsing that occurs, the higher the malware recognition but equally the larger the attack surface. And there lies the rub, the larger that attack surface the greater the target the anti-virus solution becomes. I suspect that it will not take long for the assorted security vendors whose applications have been comprehensively dismissed as "opening the door to attackers" to arrive with a counter argument. Let's hope it is a good one...