Google’s project Zero | Malwarebytes provides poor update security
Google’s project Zero publicly shames Malwarebytes for poor update security.”
Google’s Project Zero is again releasing Malwarebytes for a security vulnerability that opens the anti-malware software to man in the middle attacks.
But, according to Malwarebytes, A fix is on the way.
The updates for Malwarebytes are downloaded sans encryption, meaning a would-be attacker with network access could potentially replace them with arbitrary code.
Project Zero researcher Tavis Ormandy wrote:
MalwareBytes fetches their signature updates over HTTP, permitting a man in the middle attack. Although the YAML files include an MD5 checksum, as it’s served over HTTP and not signed, an attacker can simply replace it.”
The blog post detailing the issue, made public today, goes on to outline a couple more issues that could allow arbitrary code execution. It also, like every Project Zero post, outlined a deadline.
The report stated:
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.”
But, Malwarebytes missed the deadline. To its credit, though, the company put out a statement saying a fix is on the way, while also saying there’s nothing to panic about.
Malwarebytes’ Marcin Kleczynski wrote in a blog post about the issue.
Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities.”
According to Kleczynski:
Users concerned about following issue,
the threat should enable self-protection under settings to mitigate all of the reported vulnerabilities.”
The post also offered a short term fix and offered an apology for the problems, was well-recieved by users in the comments for the one who asked for a refund for the three months the issue went unsolved.
We’re sure everyone will be happier when the problems are fully patched.”
The project, Google Zero is a group within Google that tracks down previously unknown security problems, commonly referred to as zero day attacks, before would-be attackers can take advantage of them. The problems are reported to the company responsible for the software, and if nothing is done about them within 90 days, the report will be released publicly.
Keep visiting here for more techie stuffs 🙂
Thank you for your patience 🙂