Skip to main content
  1. Home
  2. Computing
  3. News

Google's Project Zero publicly shames Malwarebytes for poor update security

By

google project zero malwarebytes vulnerability headquarters
turtix/Shutterstock
Google’s Project Zero is at it again, this time outing Malwarebytes for a security vulnerability that opens the anti-malware software to man in the middle attacks. A fix is on the way, according to Malwarebytes.

The problem? Updates for Malwarebytes are downloaded sans encryption, meaning a would-be attacker with network access could potentially replace them with arbitrary code.

Recommended Videos

“MalwareBytes fetches their signature updates over HTTP, permitting a man in the middle attack,” wrote Project Zero researcher Tavis Ormandy. “Although the YAML files include an MD5 checksum, as it’s served over HTTP and not signed, an attacker can simply replace it.”

Related

The post detailing the issue, made public today, goes on to outline a couple more issues that could allow arbitrary code execution. It also, like every Project Zero post, outlined a deadline.

“This bug is subject to a 90 day disclosure deadline,” the report states clearly, in bold text. “If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.”

Malwarebytes missed the deadline. To its credit, though, the company put out a statement saying a fix is on the way, while also saying there’s nothing to panic about.

“Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities,” wrote Malwarebytes’ Marcin Kleczynski in a blog post about the issue.

The post also offered a short term fix. Users concerned about threat should “enable self-protection under settings to mitigate all of the reported vulnerabilities,” according to Kleczynski.

The post, which also offered an apology for the problems, was well-recieved by users in the comments — bar the one who asked for a refund for the three months the issue went unsolved. We’re sure everyone will be happier when the problems are fully patched.

Google Zero is a group within Google that tracks down previously unknown security problems, commonly referred to as zero day attacks, before would-be attackers can take advantage of them. The problems are reported to the company responsible for the software, and if nothing is done about them within 90 days, the report is released to the public.

Editors' Recommendations

Topics
Justin Pot
Justin Pot
Former Digital Trends Contributor
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
Google lead says he’s ‘disappointed’ with Apple’s new iPhone security program
iPhone 11 Pro feature image

Apple’s new hacker-friendly iPhones offer security researchers unrestricted access to devices so that they can easily hunt down vulnerabilities and bugs. But Ben Hawkes, technical lead at Project Zero, a team at Google tasked with discovering security flaws, says he’s “pretty disappointed” with Apple’s latest security program.

Hawkes, in a Twitter thread, said that its team won’t be able to take advantage of Apple’s “Security Research Device” (SRD) iPhones since it appears to exclude security groups that have a policy to publish their findings in three months.

Read more
Update Google Chrome to latest version immediately to avoid trio of threats
Chrome Smartphone stock image

Google Chrome users need to update their browser to the latest version immediately to protect themselves from three different zero-day vulnerabilities. 

The company is aware of the vulnerabilities and issued a fix for the them in the latest update, 80.0.3987.122. The zero-day vulnerabilities were labeled as “high” in severity and could allow potential hackers to trick people into visiting a fake webpage, which could affect the computer’s entire system. 

Read more
This Lenovo laptop is usually $1,700 — today it’s $847
The Lenovo ThinkBook 16 Gen 6 laptop on a white background.

If you're looking for a new laptop that will have no problem keeping up with your daily workload, you should check out the sixth-generation Lenovo ThinkBook 16, especially now that it's on sale from Lenovo at 51% off. From its original price of $1,729, it's down to a more affordable $847, which is excellent value when you consider the capabilities of this machine. You need to complete the purchase as soon as possible if you want the $882 in savings though, because there's a chance that it's already gone by tomorrow.

Why you should buy the Lenovo ThinkBook 16 Gen 6
The sixth-generation Lenovo ThinkBook 16 is a dependable laptop for its price, as it will help you complete your everyday activities and tasks quickly and efficiently with its 13th-generation Intel Core i7 processor and integrated Intel Iris Xe Graphics. It's also got 16GB of RAM, which our laptop buying guide says is the sweet spot for most people. While the Lenovo ThinkBook 16 Gen 6 won't go as fast as the top-of-the-line models of the best laptops, it will surely boost the productivity of both professionals and students.

Read more