Microsoft’s antivirus team (aka “MSAV”) will soon release their “Codename Morro” free antivirus software. So I asked them for a VIP tour.

They turned me down this time. Say what?

The folks at Microsoft listed “money” as their initial excuse. Seems they just can’t afford to give me a tour in the midst of Great Depression 2.0. I fired back the following reply:

MSAV “can’t afford” my visit? Oh, for God’s sake! I’m a critic, remember? I always buy my own plane ticket, I always find my own place to stay, I always flag down my own taxi. NOBODY IN THE ANTIVIRUS INDUSTRY PAYS MY BILLS.

(Except for meals, which are optional. Jimmy Kuo will confirm we once enjoyed a $4 buffet. I’ll buy my own value meal if you can’t expense a trip to Taco Bell.)

This is a no-brainer. I say “MSAV, please give me a tour and some briefings. Give me an hour to brief your folks in return. No fish or seafood.” They respond “Rob, please arrive on this date for this many days. Bring your PowerPoint slides on a USB stick. Dress code at Bison Steak House is a cowboy hat & boots.”

I’m cheap & easy. Tell MSAV to make this happen.

I then opened a second backchannel to Microsoft. “They’ll make it happen,” I thought. I waited for a positive reply.

Now MSAV cites work overload as their excuse. They really do want me to drop in for visit … but I shouldn’t disturb their intense concentration until “late fall.” In other words: wait six months, then ask again.

Some­thing is wrong when Micro­soft turns away a staunchly pro-Red­mond com­pu­ter secu­rity critic willing to fly in on his own dime for briefings on their new free anti­virus software

This latest rebuff makes no sense, either. We have a saying in the military: “nobody’s too busy to give a dog & pony show.” Especially when school’s out in a region with only three months of great weather.

Something is wrong here, folks. Consider the following:

• I’ve got a history of touring Microsoft’s facilities & giving lectures. They know me.
• They’ve never paid a dime for my visits over the years. (An employee once handed me a dime as a joke when I bragged about this fact.)
• MSAV knows I’m an unabashed fan of Microsoft in general. More to the point: they know I applauded their entry into the marketplace because it would shake up the industry’s then-stagnant antivirus technology.
• My backdoor access to Microsoft’s various security teams dates to 1997 — literally the week after Howard Schmidt joined the firm.
• Microsoft knew the real purpose of the “House 2.0″ antivirus project almost a year before I identified it to the antivirus industry.
• The folks in Redmond still believe I’ve got a very powerful cult following among the American & British & Australian gov’t info-protect agencies.

Only Microsoft sent flowers when my wife passed away. And they know I won’t pitch for a job or a grant. So it should be a no-brainer when I ask them for another visit on my own dime.

This bizarre turn-down forces me to ask a very disturbing question. “What is it about ‘Morro’ that they don’t want me to see?”

Thierry Zoller is the director of product security at a company called “n.runs AG.” He recently discovered a flaw in Kaspersky Labs’ popular antivirus software.

This is nothing new: antivirus products have always suffered from outright security vulnerabilities. This time, though, Zoller blew up at Kaspersky both in his blog and on some high-profile computer security mailing lists.

Here’s a trick ques­tion for you. Micro­soft offers an RSS feed for secu­rity vul­ner­a­bili­ties in their own pro­ducts. Can you name one anti­virus firm that offers an RSS feed for secu­rity vul­ner­a­bili­ties in their own products?

“Not only did [Kaspersky Labs] not answer [my bug alert], they (tried) to patch this vulnerability silently, only to fail at it,” Zoller railed. “This is not the first time that Kaspersky did not answer but patched bugs without credit, advisory or anything,” he added.

This, too, is nothing new — the antivirus industry in general has long relied on “silent slipstreams” to de-vuln their security products, neither giving credit to the discoverers nor alerting their customers to the risks they face(d).

I regard it as a dangerous double standard. The bug-hunt community erupts in anger and The Register files a story whenever Microsoft fails to give credit where due in a product vulnerability advisory. Yet nothing big happens when an antivirus firm like Kaspersky fails to—

—waitaminit, folks. Let’s pose this double standard as a trick question. Microsoft offers an RSS feed for security vulnerabilities in their own products. Can you name one antivirus vendor that offers an RSS feed for security vulnerabilities in their own products?

“This is not the first time that Kas­per­sky … patched bugs with­out credit [and failed to issue an] advisory.”

Go on! Look for an RSS feed. I’ll wait…

Okay, stop looking: I’ll give you a ‘B’ for effort. You see, antivirus firms don’t need to disclose vulnerabilities in their own products. “Why does this double standard exist, Rob?” Because antivirus customers don’t care. Period.

(“C’mon, Rob, what would it take to get an ‘A’ for effort?” You’d need to realize two things. First: you’d realize that both the content of this little-known page plus the content of this other little-known page really should appear on this very well-known page on Symantec’s website. Second: you’d realize that Symantec’s “ThreatCon level” doesn’t vibrate when they acknowledge critical vulnerabilities in their own security products.)

(Oh, and I’ll give you extra credit if you can answer another trick question. “Why doesn’t Symantec’s vulnerability disclosure policy impact their ThreatCon level?”)

Zoller directed his anger at Kaspersky Labs. In truth, though, he griped about a long-held double standard that favors the antivirus industry to this day. Zoller swung his fist, saying:

“I am no longer part of an entity that tolerates irresponsible non-disclosure. A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Kaspersky is given a grace period of two (2) weeks to reply to my notifications. Failure to do so will result in details of all the other reported bugs be released in two (2) weeks.”

“Measure the maturity of a vendor in terms of security,” he says. Memo to Thierry Zoller: I hate to tell you this, dude, but I’ve documented the antivirus industry’s immaturity for twenty-plus years…