Leave it to security researchers presenting at Black Hat to question whether antivirus software has buffer overflow and other vulnerabilities. Turns out they do. Alex Wheeler and Neel Mehta looked at antivirus software from Symantec, McAfee, Trend Micro, Computer Associates, F-Secure, and Sophos and found several buffer overflow vulnerabilities. In almost all cases, the antivirus vendors were able to quickly patch and distribute those patches to their customers. The researchers found that commercial antivirus software, in general, is very good; the flaws discovered may have been the result of different teams of software developers contributing to one final product and occasionally overlapping each other, rather than fundamental flaws. The real danger is that the researchers have only scratched the surface; they haven't tested or studied all aspects of antivirus software, nor have they thoroughly looked at free antivirus software, which they found to contain less mature code than its commercial counterparts. They plan to continue investigating antivirus software.