The whole thing is just absurd. We witness an antivirus security product vendor shipping a node.js HTTP server exposing >90 API endpoints in which a single security researcher found 2 remote code execution vulnerabilities plus a way to obtain user stored encrypted passwords - from anywhere on the internet by having the user visit a website.
Look at the other issues reported from the same project. Remaining antivirus companies should be doing a full stack audit right now before they became the stars of another Tavis Ormandy show :)
Remember: this is a security company.
The whole thing is just absurd. We witness an antivirus security product vendor shipping a node.js HTTP server exposing >90 API endpoints in which a single security researcher found 2 remote code execution vulnerabilities plus a way to obtain user stored encrypted passwords - from anywhere on the internet by having the user visit a website.
Look at the other issues reported from the same project. Remaining antivirus companies should be doing a full stack audit right now before they became the stars of another Tavis Ormandy show :)
The worst thing: you’re probably better off with shitty insecure AV than being unprotected on Mac or Windows.