Security

Google ninjas go public with security holes in Malwarebytes antivirus

Software biz races to fix bugs everyone now knows

Malwarebytes is rushing to plug security flaws in its software that allow miscreants to sling malware at its customers.

The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. However, security holes remain in the client-side software that runs on people's Windows PCs.

These latter vulnerabilities may take up to three weeks to fix and release, although Ormandy has already gone public with details of the holes. Project Zero gives vendors 90 days to fix their broken software before they go fully public. Time's up for Malwarebytes, so now miscreants can start to exploit the reported vulnerabilities:

  • Malwarebytes updates are not signed or downloaded over a secure channel
  • Malwarebytes uses incorrect ACLs allowing trivial privilege escalation
  • TXTREPLACE rules are not context aware, allowing code inject
  • ACTIONs can result in remote code execution

In a blog post on Monday, Malwarebytes chief exec Marcin Kleczynski apologized for the evidently hard-to-eradicate programming blunders:

Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity.

The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time.

However, this is of sufficient enough a concern that we are seeking to implement a fix. Consumers using the Premium version of Malwarebytes Anti-Malware should enable self-protection under settings to mitigate all of the reported vulnerabilities.

Ormandy, a top ninja in the Google Project Zero bug-hunting team, has carved out a niche in exposing the security shortcomings of anti-virus products, in software from Trend Micro, ESET, FireEye, Kaspersky and Avast security products.

Malwarebytes wouldn't go into the specifics of the remaining vulnerabilities, although all the details are on the Google Project Zero site – minus the hardcoded RC4 key that Ormandy says capable bods can figure out themselves.

Kleczynski further sought to put a positive spin on a lamentable state of affairs by announcing a bug bounty program.

Bug hunters will be offered up to US$1,000 for supplying tip-offs about security problems in Malwarebytes software, a modest reward on par with similar schemes from the likes of AVG, which competes with Malwarebytes in offering security software to consumers. ®

Sponsored: Global DDoS threat landscape report