Be warned that if you use Malwarebytes Anti-Malware, a popular piece of software for combating malware, there are some major vulnerabilities in the program – and these won’t be fixed for some time yet.
The security flaws were first discovered by researcher Tavis Ormandy, who is part of Google’s Project Zero team that searches out exploits. Ormandy informed Malwarebytes of the vulnerabilities back in November, but now more than three months has passed, the details have been made public (which is Project Zero’s policy).
Obviously, that makes these security holes all the more dangerous, as when it comes to malware authors and peddlers, all and sundry are now aware of the issues and can attempt to exploit them.
Apparently, Malwarebytes was able to fix a number of the vulnerabilities pretty much immediately after being told server-side, but patching up the client software is a different and evidently entirely trickier matter.
As it stands, the company says that it is now testing a new version of the client software with the flaws patched, but this won’t be released for another three to four weeks, worryingly.
Ormandy listed four vulnerabilities which affected Malwarebytes Anti-Malware, the principal one being that the program gets its signature updates over HTTP, which could potentially allow a man-in-the-middle attack to be successfully instigated.
In a blog post, Malwarebytes said: “The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time. However, this is of sufficient enough a concern that we are seeking to implement a fix.”
Note that if you’re using the premium (paid-for) version of Malwarebytes Anti-Malware, you can go to settings and enable self-protection, and that will apparently take care of these vulnerabilities. Free users don’t have that luxury, unfortunately.
Malwarebytes has apologised, saying: “While these things happen, they shouldn’t happen to our users.” The company has also initiated its own bug bounty program, in an effort to ferret out further vulnerabilities – something of a PR/damage control move, of course, but certainly a good idea nonetheless.
Malwarebytes certainly isn’t alone though, and indeed Tavis Ormandy found a gaping flaw in Trend Micro’s antivirus product last month. He’s previously exposed other security outfits as well, such as Sophos.