Google Project Zero has publicly exposed Malwarebytes for a security vulnerability that exposes its consumer version of Anti-Malware software to Man in the middle attacks.
Incidentally, before going public, the issue was highlighted to the company 90 day ago by Google security researcher Tavis Ormandy. Early November in 2015, Ormandy informed Malwarebytes that its Anti-Malware software updates do not follow a secure channel opening a way for attackers to exploit.
“Malwarebytes fetches their signature updates over HTTP, permitting a man in the middle attack. The protocol involves downloading YAML files over HTTP for each update from http://data-cdn.mbamupdates.com. Although the YAML files include an MD5 checksum, as it’s served over HTTP and not signed, an attacker can simply replace it.” warned Ormandy.
Malwarebytes response to Google’s public disclosure
Meanwhile the company responded to Google’s disclosure saying that they have fixed several of the server-side vulnerabilities and will soon be releasing a new version of the software to patch the additional client-side vulnerabilities. However, it won’t be until 3-4 weeks until we see the new version, a news that was unsettling for the existing Malwarebytes users.
Company CEO renders an apology
“I’d also like to take this opportunity to apologize. While these things happen, they shouldn’t happen to our users”, said Marcin.
Marcin Kleczynski, Malwarebytes CEO, offered an apology to the users of the Anti-Malware software saying that vulnerabilities are the harsh reality of software development and his company would be launching a Bug Bounty program that would encourage security researchers to find security vulnerabilities in Malwarebytes software.
The reward would be in the range of $100-$1,000 depending the type of bug discovered.
Advise to existing Malwarebytes users
If you are an existing Malwarebytes Anti-malware user, you should enable Self-protection under Settings to mitigate all of the reported vulnerabilities. However, as Marcin pointed out, this protection is available only to those using the premium version of Anti-Malware software.