Skip to main content
  1. Home
  2. Computing
  3. News

Google's Project Zero publicly shames Malwarebytes for poor update security

Justin Pot
By

google project zero malwarebytes vulnerability headquarters
turtix/Shutterstock
Google’s Project Zero is at it again, this time outing Malwarebytes for a security vulnerability that opens the anti-malware software to man in the middle attacks. A fix is on the way, according to Malwarebytes.

The problem? Updates for Malwarebytes are downloaded sans encryption, meaning a would-be attacker with network access could potentially replace them with arbitrary code.

“MalwareBytes fetches their signature updates over HTTP, permitting a man in the middle attack,” wrote Project Zero researcher Tavis Ormandy. “Although the YAML files include an MD5 checksum, as it’s served over HTTP and not signed, an attacker can simply replace it.”

The post detailing the issue, made public today, goes on to outline a couple more issues that could allow arbitrary code execution. It also, like every Project Zero post, outlined a deadline.

“This bug is subject to a 90 day disclosure deadline,” the report states clearly, in bold text. “If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.”

Malwarebytes missed the deadline. To its credit, though, the company put out a statement saying a fix is on the way, while also saying there’s nothing to panic about.

“Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities,” wrote Malwarebytes’ Marcin Kleczynski in a blog post about the issue.

The post also offered a short term fix. Users concerned about threat should “enable self-protection under settings to mitigate all of the reported vulnerabilities,” according to Kleczynski.

The post, which also offered an apology for the problems, was well-recieved by users in the comments — bar the one who asked for a refund for the three months the issue went unsolved. We’re sure everyone will be happier when the problems are fully patched.

Google Zero is a group within Google that tracks down previously unknown security problems, commonly referred to as zero day attacks, before would-be attackers can take advantage of them. The problems are reported to the company responsible for the software, and if nothing is done about them within 90 days, the report is released to the public.

Editors' Recommendations

Microsoft’s emoji library goes open source

The design process of emoji.

The most common Microsoft Teams problems, and how to fix them

A close-up of someone using Microsoft Teams on a laptop for a videoconference.

Selling something online? Watch out for this clever new scam

An individual holding a phone and card.

WhatsApp adds new privacy features that everyone should start using

The WhatsApp app icon on a phone with other messaging apps.

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Elon Musk talks to the press as he arrives to to have a look at the construction site of the new Tesla Gigafactory near Berlin.

WASD and arrow keys swapped? Here’s how to fix it

A closeup of gamer using a mechanical keyboard with rgb lighting

How to delete files on a Chromebook

Lenovo IdeaPad Duet 5 Chromebook open on a table.

How to factory reset an HP laptop

HP EliteBook 840 Aero G8 sitting on desk.

How to watch Samsung Galaxy Unpacked August 2022

Samsung executive TM Roh

Best Phone Deals: Save on Google Pixel 6, Galaxy S22 Ultra

Galaxy S22 Ultra and iPhone 13 Pro cameras seen from the back.

The best 4K 120Hz gaming monitors for 2022

Two people playing a video game.

Best iPhone deals and sales for August 2022

iPhone 13 Pro in blue.

Best tablet deals for August 2022

apple ipad air pro deals best buy macmall work from home sale 10 5 review screen angle 1 3 768x768