Google's Project Zero publicly shames Malwarebytes for poor update security

google project zero malwarebytes vulnerability headquarters
turtix/Shutterstock
Google’s Project Zero is at it again, this time outing Malwarebytes for a security vulnerability that opens the anti-malware software to man in the middle attacks. A fix is on the way, according to Malwarebytes.

The problem? Updates for Malwarebytes are downloaded sans encryption, meaning a would-be attacker with network access could potentially replace them with arbitrary code.

“MalwareBytes fetches their signature updates over HTTP, permitting a man in the middle attack,” wrote Project Zero researcher Tavis Ormandy. “Although the YAML files include an MD5 checksum, as it’s served over HTTP and not signed, an attacker can simply replace it.”

The post detailing the issue, made public today, goes on to outline a couple more issues that could allow arbitrary code execution. It also, like every Project Zero post, outlined a deadline.

“This bug is subject to a 90 day disclosure deadline,” the report states clearly, in bold text. “If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.”

Malwarebytes missed the deadline. To its credit, though, the company put out a statement saying a fix is on the way, while also saying there’s nothing to panic about.

“Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities,” wrote Malwarebytes’ Marcin Kleczynski in a blog post about the issue.

The post also offered a short term fix. Users concerned about threat should “enable self-protection under settings to mitigate all of the reported vulnerabilities,” according to Kleczynski.

The post, which also offered an apology for the problems, was well-recieved by users in the comments — bar the one who asked for a refund for the three months the issue went unsolved. We’re sure everyone will be happier when the problems are fully patched.

Google Zero is a group within Google that tracks down previously unknown security problems, commonly referred to as zero day attacks, before would-be attackers can take advantage of them. The problems are reported to the company responsible for the software, and if nothing is done about them within 90 days, the report is released to the public.

Emerging Tech

Drones: New rules could soon allow flights over people and at night

With commercial operators in mind, the U.S. government is looking to loosen restrictions on drone flights with a set of proposals that would allow the machines greater freedom to fly over populated areas and also at night.
Computing

Getting Windows 10 updated doesn't have to be so painful

Windows update not working? It's a more common problem than you might think. Fortunately, there are a few steps you can take to troubleshoot it and in this guide we'll break them down for you step by step.
Computing

Firefox will disable Flash on its browsers by default in 2019

Mozilla's Firefox browser will continue to do its part in deprecating the Flash plugin this year with new plans revealed to disable it by default in an upcoming Nightly build, followed by a stable release in September.
Web

Shutdown makes dozens of .gov websites insecure due to expired TLS certificates

The US government shutdown is causing trouble in internet security. As the shutdown enters day 22, dozens of government websites have been rendered insecure or inaccessible due to expired transport layer security (TLS) certificates.
Computing

Still miss Windows 7? Here's how to make Windows 10 look more like it

There's no simple way of switching on a Windows 7 mode in Windows 10. Instead, you can install third-party software, manually tweak settings, and edit the registry. We provide instructions for using these tweaks and tools.
Computing

Lost your router? Here's how to find its IP address to help track it down

Changing the login information for your router isn't always easy, that's why so many have that little card on the back. But in order to use it, you need to know where to go. Here's how to find the IP address of your router.
Computing

Our favorite Windows apps will help you get the most out of your new PC

Not sure what apps you should be downloading for your newfangled Windows device? Here are the best Windows apps, whether you need something to speed up your machine or access your Netflix queue. Check out our categories and favorite picks.
Computing

Is it worth spending more for the Surface Pro, or is the Surface Go good enough?

The Surface Go versus Surface Pro -- which is better? While the higher price tag of one might make you think it's an easy choice, a deeper dive into what each offers makes it a closer race than you might assume.
Computing

Pinning websites to your taskbar is as easy as following these quick steps

Would you like to know how to pin a website to the taskbar in Windows 10 in order to use browser links like apps? Whichever browser you're using, it's easier than you might think. Here's how to get it done.
Computing

Stop your PC's vow of silence with these tips on how to fix audio problems

Sound problems got you down? Don't worry, with a few tweaks and tricks we'll get your sound card functioning as it should, and you listening to your favorite tunes and in-game audio in no time.
Computing

Yes, Android apps can run on your PC, and it's easier than you think

Wish you knew how to run Android apps in Windows? It's easier than you might think and there are a number of different ways to do it. In this guide, we break down the steps so you can follow along with ease.
Computing

Don't spend hundreds on Pro Tools or Logic. Try one of these free alternatives

Believe it or not, Pro Tools isn't the only digital audio workstation worth your time. Check out our picks for the best free recording software, whether you're looking for a lightweight app or a full-blown audio workstation.
Computing

How to share an external hard drive between Mac and Windows

Compatibility issues between Microsoft Windows and Apple MacOS may have diminished sharply over the years, but that doesn't mean they've completely disappeared. Here's how to make an external drive work between both operating systems.
Computing

Should you buy the affordable MacBook Air, or is the MacBook Pro worth the price?

Though they both share Retina Displays and similar keyboards, there are still some specs differences and other changes that differentiate the new 2018 MacBook Air and MacBook Pro. In this guide, we stack the two up against each other.