No shit.

A 2010 presentation reveals that the agency was monitoring threat reports sent to antivirus and firewall software makers in the hopes of finding exploits, whether they're brand new forms of malware or vulnerabilities in the defensive apps themselves. It's easier than you might think, too. It's not always possible to update virus definitions very quickly, and many antivirus developers can take weeks or months to patch exploits in their own code.

That isn't shocking at all. I mean, I wouldn't be shocked if one of the major anti-viruses is being exploited right now by the NSA. Maybe even if they owned one of them.

I

I don't think this should come as a surprise...