Google's Project Zero publicly shames Malwarebytes for poor update security

google project zero malwarebytes vulnerability headquarters
turtix/Shutterstock
Google’s Project Zero is at it again, this time outing Malwarebytes for a security vulnerability that opens the anti-malware software to man in the middle attacks. A fix is on the way, according to Malwarebytes.

The problem? Updates for Malwarebytes are downloaded sans encryption, meaning a would-be attacker with network access could potentially replace them with arbitrary code.

“MalwareBytes fetches their signature updates over HTTP, permitting a man in the middle attack,” wrote Project Zero researcher Tavis Ormandy. “Although the YAML files include an MD5 checksum, as it’s served over HTTP and not signed, an attacker can simply replace it.”

The post detailing the issue, made public today, goes on to outline a couple more issues that could allow arbitrary code execution. It also, like every Project Zero post, outlined a deadline.

“This bug is subject to a 90 day disclosure deadline,” the report states clearly, in bold text. “If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.”

Malwarebytes missed the deadline. To its credit, though, the company put out a statement saying a fix is on the way, while also saying there’s nothing to panic about.

“Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities,” wrote Malwarebytes’ Marcin Kleczynski in a blog post about the issue.

The post also offered a short term fix. Users concerned about threat should “enable self-protection under settings to mitigate all of the reported vulnerabilities,” according to Kleczynski.

The post, which also offered an apology for the problems, was well-recieved by users in the comments — bar the one who asked for a refund for the three months the issue went unsolved. We’re sure everyone will be happier when the problems are fully patched.

Google Zero is a group within Google that tracks down previously unknown security problems, commonly referred to as zero day attacks, before would-be attackers can take advantage of them. The problems are reported to the company responsible for the software, and if nothing is done about them within 90 days, the report is released to the public.

Emerging Tech

Awesome Tech You Can’t Buy Yet: camera with A.I. director, robot arm assistant

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it sure is fun to gawk!
Gaming

Having issues with your PS4? Check out our solutions to its most common problems

Just because the PlayStation 4 is a remarkable system doesn't mean that it's immune to the occasional hiccup. Thankfully, we've vetted some of the bigger PS4 problems and found solutions for whatever might ail you.
Computing

How good are you at spotting phishing scams? Take this quiz to find out

Are you able to discern between a legitimate email and one that's a scam designed to phish for your personal information? Google created an online quiz with tips to help you better understand phishing so you don't become a victim.
Gaming

Everything we know about 'Red Dead Online', including the new mode Gun Rush

Red Dead Online will gradually rolled out to Red Dead Redemption 2 players via a beta. We've got all the details about the beta's suite of competitive and cooperative modes, as well as what to expect going forward.
Computing

Ditch the backdrop from your photos with these handy tools

Need to know how to remove the background from an image? Here's how, whether you prefer to use a premium program like Photoshop or one of the many web-based alternatives currently in existence.
Computing

Think someone's leeching off your Wi-Fi connection? Here's how to find out

It's important to find out immediately if anyone is stealing your bandwidth. Here's how to tell if someone is stealing your Wi-Fi using a few simple tools, along with some suggestions on improving security.
Computing

‘Flexgate’ is the latest controversy plaguing some MacBook Pro owners

iFixit recently uncovered a new "Flexgate" issue with MacBook Pros after some consumers reported a "stage light" effect, where the backlighting on the device would fail and cause the bottom of the display to become slightly distorted.
Computing

Open RAR files with the greatest of ease using these awesome applications

Few things are more bothersome than not being able to open a file when you need it most. Check out our quick guide about how to open RAR files in Windows and MacOS. We will walk you through the process, step by step.
Web

Google Chrome’s latest decision could prevent most ad-blockers from functioning

Google Chrome's newest change is cited as a step forward for speed and security, but could profoundly alter how the majority of ad-blocking extensions operate. The move potentially gives Google more control over which ads can be blocked.
Computing

Samsung permits peek at an eye-popping, 15-inch 4K OLED laptop display

Samsung is now preparing for the new OLED laptop trend and is providing a look at an eye-popping 15.6-inch 4K OLED panel that is expected to power larger premium laptops in the new year.
Music

Here's our head-to-head comparison of Pandora and Spotify

Which music streaming platform is best for you? We pit Spotify versus Pandora, two mighty streaming services with on-demand music and massive catalogs, comparing every facet of the two services to help you decide which is best.
Computing

Latest ransomware targets gamers with a malicious sophistication

The latest piece of ransomware, Anatova, has been discovered by the security team at McAfee. Employing a smart tactic to confuse users and able to clean its tracks as it evolves, this is one tough piece of ransomware.
Computing

Are AMD Navi GPUs coming soon? Reference found in MacOS hints at release date

Fresh off the announcement of Radeon Vega VII at CES 2019, in the latest rumors, source code references in macOS hint that the next 7nm AMD Navi products might be coming in July.
Computing

Battle of the best: How does the new XPS 13 compete with our favorite ZenBook?

The ZenBook 13 UX333 continues Asus's tradition of offering great budget-oriented 13-inch laptop offerings. Does this affordable machine offer enough value to compete with the excellent Dell XPS 13?