Thierry Zoller is the director of product security at a company called “n.runs AG.” He recently discovered a flaw in Kaspersky Labs’ popular antivirus software.

This is nothing new: antivirus products have always suffered from outright security vulnerabilities. This time, though, Zoller blew up at Kaspersky both in his blog and on some high-profile computer security mailing lists.

Here’s a trick ques­tion for you. Micro­soft offers an RSS feed for secu­rity vul­ner­a­bili­ties in their own pro­ducts. Can you name one anti­virus firm that offers an RSS feed for secu­rity vul­ner­a­bili­ties in their own products?

“Not only did [Kaspersky Labs] not answer [my bug alert], they (tried) to patch this vulnerability silently, only to fail at it,” Zoller railed. “This is not the first time that Kaspersky did not answer but patched bugs without credit, advisory or anything,” he added.

This, too, is nothing new — the antivirus industry in general has long relied on “silent slipstreams” to de-vuln their security products, neither giving credit to the discoverers nor alerting their customers to the risks they face(d).

I regard it as a dangerous double standard. The bug-hunt community erupts in anger and The Register files a story whenever Microsoft fails to give credit where due in a product vulnerability advisory. Yet nothing big happens when an antivirus firm like Kaspersky fails to—

—waitaminit, folks. Let’s pose this double standard as a trick question. Microsoft offers an RSS feed for security vulnerabilities in their own products. Can you name one antivirus vendor that offers an RSS feed for security vulnerabilities in their own products?

“This is not the first time that Kas­per­sky … patched bugs with­out credit [and failed to issue an] advisory.”

Go on! Look for an RSS feed. I’ll wait…

Okay, stop looking: I’ll give you a ‘B’ for effort. You see, antivirus firms don’t need to disclose vulnerabilities in their own products. “Why does this double standard exist, Rob?” Because antivirus customers don’t care. Period.

(“C’mon, Rob, what would it take to get an ‘A’ for effort?” You’d need to realize two things. First: you’d realize that both the content of this little-known page plus the content of this other little-known page really should appear on this very well-known page on Symantec’s website. Second: you’d realize that Symantec’s “ThreatCon level” doesn’t vibrate when they acknowledge critical vulnerabilities in their own security products.)

(Oh, and I’ll give you extra credit if you can answer another trick question. “Why doesn’t Symantec’s vulnerability disclosure policy impact their ThreatCon level?”)

Zoller directed his anger at Kaspersky Labs. In truth, though, he griped about a long-held double standard that favors the antivirus industry to this day. Zoller swung his fist, saying:

“I am no longer part of an entity that tolerates irresponsible non-disclosure. A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Kaspersky is given a grace period of two (2) weeks to reply to my notifications. Failure to do so will result in details of all the other reported bugs be released in two (2) weeks.”

“Measure the maturity of a vendor in terms of security,” he says. Memo to Thierry Zoller: I hate to tell you this, dude, but I’ve documented the antivirus industry’s immaturity for twenty-plus years…

BitDefender sells an Internet security suite that offers “proactive protection from viruses, spyware, hackers, and other e-Threats.” Well, their website got hacked. Now in all fairness, their product lines might not protect web servers … but you still gotta love irony.

Normally we’d just shrug at this irony and go about our day. This one, though, deserves attention over the company’s (mis)handling of the affair. Quoting from an updated story in The Register:

“It was only after this article first appeared that the anti-virus company even owned up to the breach, and yes, it potentially exposed Portuguese customers’ names, email addresses and possibly their physical addresses as well… Amazingly, BitDefender offered customers no details about the extent of the damage for more than a day and went so far as to suggest the breach at a site bearing its corporate name isn’t its fault.”

Reporter Dan Goodin goes on to say “we saw a similar reluctance from Kaspersky to share what it knew during the first 36 hours after its security lapse was exposed.” Situations like this constitute a lie by omission. I quote myself from an ancient column when I say “the very experts we pay to protect our PCs will all too often lie, even if they know it will harm their clients’ best interests.”

“Amazingly, BitDefender offered customers no details about the extent of the damage for more than a day…”

Goodin then mutters “this is unacceptable for companies entrusted to keep their customers safe.” {sigh} Only here do I differ with him — because after watching this industry for twenty years, I’ve come to realize the court of public opinion never prosecutes virus experts for their lies. Society gets some sort of taboo satisfaction from lying virus experts. These people get rewarded, not punished.

I insist virus experts ultimately lie to us because society wants them to do it. Why? Four words: “addicts need their pushers.” A double standard exists because people can’t give up their addiction to antivirus updates. Society lets its pushers get away with things they’d never let Microsoft get away with…

A story in The Register reveals “a security lapse at Kaspersky has exposed a wealth of proprietary information about the anti-virus provider’s products and customers, according to a blogger, who posted screen shots and other details.”

I consider it no big deal to hear about any given hack of any given computer security website — no matter how deep it may strike. Indeed, longtime readers will recall this site got hacked last year and sister site Vmyths got hacked in the early 2000s. It happens, folks.

It happens to the best of ’em for any number of reasons. Maybe your firm scaled up to an unfamiliar new web server package. Or maybe you acquired a tiny company with a poorly managed website. Or maybe you forgot about the default security settings after installing a blog feature on your website. Or maybe your hosting provider got hacked and hundreds of your neighbors got defaced along with you…

Ah! But then The Register lobbed a grenade at my opinion:

“Assuming the hack is for real, it wouldn’t be the first time a Kaspersky site has been hit by a SQL injection attack. In July, Kaspersky’s Malaysian site and several sub­domains were defaced by hacker who left pro-Turkish slogans. Accor­ding to ZDNet’s Zero Day blog here, Zone-h archives show 36 web­site deface­ments of inter­national Kaspersky sites since 2000…”

Hey, I can snicker at the irony of any one hack — but 36 37? This number borders on the absurd. It would average out to four hacks per year against Kaspersky’s websites.

It would skew the num­bers if Kasper­sky suffered a mass-deface­ment and Zone-H logged each server as a separate incident…

Ah! But did you notice where it said “Kaspersky’s Malaysian site and several sub­domains were defaced”? I immediately wondered if a cluster of web servers got hacked in a single mass-defacement. Such an event would only count as one incident in my book … yet Zone-H might have logged each defacement separately, thereby skewing the numbers.

Unfortunately, the Zone-H website doesn’t respond right now (did they shut down?) and it’ll take some time to plow through the Wayback Machine. I’ll give Kaspersky the benefit of the doubt until someone analyzes their defacement history.

So until then, let’s all enjoy a glass of lemonade and snicker at the irony of Kaspersky’s latest hack.