Any exploit of any piece of software that remains un-patched is dangerous. If you have software that's deployed on an enterprise level, it makes it that much more important to have layers of security and excellent patching processes for ALL of your software.
If Sophos fails to patch exploits in a timely matter, that's a different story.
"Sophos claim that their products are deployed throughout healthcare, government, finance, and even the military," Tavis Ormandy wrote in an e-mail posted to a public security forum. "The chaos a motivated attacker could cause to these systems is a realistic global threat. For this reason, Sophos products should only ever be considered for low-value non-critical systems and never deployed on networks or environments where a complete compromise by adversaries would be inconvenient."
A more detailed report that accompanied Ormandy's e-mail outlined a series of vulnerabilities that attackers can exploit remotely to gain complete control over computers running unpatched versions of the Sophos software. At least one of them requires no interaction on the part of a victim, opening the possibility of self-replicating attacks, as compromised machines in turn exploit other machines, he said. The researcher provided what he said was a working exploit against Sophos version 8.0.6 running Apple's OS X. Attackers could "easily" rewrite the code to work against unpatched Sophos products that run on the Windows or Linux operating systems, he said.
A post published to Sophos's Naked Security blog around the same time Ormandy released his report thanked the researcher for privately disclosing the vulnerabilities so they could be fixed before attackers have the knowledge required to exploit them.
"The work of Tavis Ormandy, and others like him in the research community, who choose to work alongside security companies, can significantly strengthen software products," the post stated. "On behalf of its partners and customers, Sophos appreciates Tavis Ormandy's efforts and responsible approach."
The Sophos post detailed eight fixes that were released from 42 days to 55 days after Ormandy privately brought them to the attention of Sophos engineers. For his part, Ormandy concluded that the amount of time it took to release the patches was excessive.
"Sophos simply cannot react fast enough to prevent attacks, even when presented with a working exploit," he wrote. "Should an attacker choose to use Sophos Antivirus as their conduit into your network, Sophos will simply not be able to prevent their continued intrusion for some time, and you must implement contingency pans to handle this scenario if you choose to continue deploying Sophos."
A security researcher at Google, Ormandy stressed that his report and comments were entirely his, and not those of his employer.
With marked improvements in the security of browsers and Adobe's Reader and Flash applications, it wouldn't be surprising for attackers, particularly well-funded ones targeting a specific corporation or government agency, to turn their attention to AV programs. The detailed interactions AV programs have with browsers and sensitive operating system regions means there's plenty of opportunity.
It's unclear if Ormandy has analyzed the security of other antivirus products so he can arrive at an assessment of how they compare to Sophos. He didn't respond to an e-mail seeking comment for this post.