A double stan­dard lets anti­virus firms hide vul­ner­a­bili­ties in their own products

Thierry Zoller is the director of product security at a company called “n.runs AG.” He recently discovered a flaw in Kaspersky Labs’ popular antivirus software.

This is nothing new: antivirus products have always suffered from outright security vulnerabilities. This time, though, Zoller blew up at Kaspersky both in his blog and on some high-profile computer security mailing lists.

Here’s a trick ques­tion for you. Micro­soft offers an RSS feed for secu­rity vul­ner­a­bili­ties in their own pro­ducts. Can you name one anti­virus firm that offers an RSS feed for secu­rity vul­ner­a­bili­ties in their own products?

“Not only did [Kaspersky Labs] not answer [my bug alert], they (tried) to patch this vulnerability silently, only to fail at it,” Zoller railed. “This is not the first time that Kaspersky did not answer but patched bugs without credit, advisory or anything,” he added.

This, too, is nothing new — the antivirus industry in general has long relied on “silent slipstreams” to de-vuln their security products, neither giving credit to the discoverers nor alerting their customers to the risks they face(d).

I regard it as a dangerous double standard. The bug-hunt community erupts in anger and The Register files a story whenever Microsoft fails to give credit where due in a product vulnerability advisory. Yet nothing big happens when an antivirus firm like Kaspersky fails to—

—waitaminit, folks. Let’s pose this double standard as a trick question. Microsoft offers an RSS feed for security vulnerabilities in their own products. Can you name one antivirus vendor that offers an RSS feed for security vulnerabilities in their own products?

“This is not the first time that Kas­per­sky … patched bugs with­out credit [and failed to issue an] advisory.”

Go on! Look for an RSS feed. I’ll wait…

Okay, stop looking: I’ll give you a ‘B’ for effort. You see, antivirus firms don’t need to disclose vulnerabilities in their own products. “Why does this double standard exist, Rob?” Because antivirus customers don’t care. Period.

(“C’mon, Rob, what would it take to get an ‘A’ for effort?” You’d need to realize two things. First: you’d realize that both the content of this little-known page plus the content of this other little-known page really should appear on this very well-known page on Symantec’s website. Second: you’d realize that Symantec’s “ThreatCon level” doesn’t vibrate when they acknowledge critical vulnerabilities in their own security products.)

(Oh, and I’ll give you extra credit if you can answer another trick question. “Why doesn’t Symantec’s vulnerability disclosure policy impact their ThreatCon level?”)

Zoller directed his anger at Kaspersky Labs. In truth, though, he griped about a long-held double standard that favors the antivirus industry to this day. Zoller swung his fist, saying:

“I am no longer part of an entity that tolerates irresponsible non-disclosure. A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Kaspersky is given a grace period of two (2) weeks to reply to my notifications. Failure to do so will result in details of all the other reported bugs be released in two (2) weeks.”

“Measure the maturity of a vendor in terms of security,” he says. Memo to Thierry Zoller: I hate to tell you this, dude, but I’ve documented the antivirus industry’s immaturity for twenty-plus years…