Yikes. Tavis's paper shows multiple buffer overflow attacks against code in Sophos that scans executables and PDF files for viruses, so just by sending someone a file you can inject code into the virus checker, which has maximum privileges. It also disables address space randomization so exploitation is easy.

"The paper includes a working pre-authentication remote root exploit that requires zero-interaction, and could be wormed within the next few days. I would suggest administrators deploying Sophos products study my results urgently, and implement the recommendations."

Ouch. That's pretty much the definition of an "oh crap" vulnerability.