Experts at Google’s Project Zero have once again shamed a security software company. This time Malwarebytes has become a ‘victim’.
Accroding to Project Zero, Malwarebytes security solution is not as much secure, because it is vulnerable to the Man-In-The-Middle attacks. But don’t worry, the company is already working on the fix.
MITM attacks are easy to initiate on the security software. The reason? Malwarebytes downloads updates without using encryption, thus allowing cyber crooks to replace original content of an update with an arbitrary code.
According to Tavis Ormandy, Project Zero security researcher:
MalwareBytes fetches their signature updates over HTTP, permitting a man in the middle attack. Although the YAML files include an MD5 checksum, as it’s served over HTTP and not signed, an attacker can simply replace it.
The report about the bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Malwarebytes missed the deadline. However, the company published a statement stating a fix is on the way, while also saying there’s nothing to panic about.
Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities,
Marcin Kleczynski – Malwarebytes
Malwarebytes suggests that if users want a short term fix they can enable self-protection under settings to mitigate all of the reported vulnerabilities. The company has also published full advisory on their blog.