http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx I don't know about the rest but it's disappointing to see such dismal results (albeit this has been discussed before). One could excuse small-time developers if they don't employ DEP/ASLR but come on, AV vendors should do better than this. Time do adopt basic mitigation technologies. http://blogs.microsoft.com/cybertrust/2010/09/21/isv-adoption-of-mitigation-technologies/
This is good. I almost didn't expect any AV testing organization would bring this topic to the surface.