GOOGLE’S SECURITY street gang Project Zero has been kicking sand in the face of Malwarebytes and picking the firm’s protection precautions apart.
Malwarebytes usually wears the boot in this kind of thing, but Project Zero has taken a punt in the security firm’s direction and accused it of all sorts of bad things.
This is not the first time that Project Zero has pointed fingers, as the gang only recently made Microsoft, FireEye and Trend Micro look bad.
Malwarebytes has “multiple security issues” that can open users to man-in-the-middle attacks and other things that you might choose to avoid, according to a Project Zero report from researcher Tavis Ormandy.
The post said that the problem has been fixed, but a lot of the details have been redacted which, of course, makes things more interesting.
Ormandy claimed that Google told the firm about the problem last year, and gave it 90 days before getting the sandwich board out and marching round the community.
“Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack. The protocol involves downloading YAML files over HTTP for each update from http://data-cdn.mbamupdates.com. Although the YAML files include an MD5 checksum, as it’s served over HTTP and not signed an attacker can simply replace it,” he wrote.
“It’s possible the developer believed that an attacker cannot tamper with the data as it’s encrypted with the hardcoded RC4 key [redacted] for configuration data, and [redacted] for definitions. However, this is not the case. Openssl commands can be used to decrypt, edit and then re-encrypt the definitions and configuration data.”
We asked Malwarebytes to talk about this by email, and are waiting for a response. It was only last week that the firm proudly announced a bug bounty reward programme which, presumably, will pay for itself.
Malwarebytes did contact us over Twitter, however, to publicly acknowledge its shame and share its thanks to Google and apologies to users.
The tweet led us to a blog post where the reward programme is revealed to be a reaction to such alerts.
“Unfortunately, vulnerabilities are the harsh reality of software development. In fact, this year alone our researchers have found and reported several vulnerabilities with other software,” wrote Marcin Kleczynski, CEO at Malwarebytes.
“A vulnerability disclosure programme is one way to accelerate the discovery of these vulnerabilities and empower companies like Malwarebytes to fix them.
“We are taking steps like the bug bounty programme as well as building automatic vulnerability-finding software to mitigate any potential for a future vulnerability.
“In addition, our engineers have used this discovery to create new processes and methodologies that will help us continue to scrutinise our own code, identify any weak lines or processes and build additional tests and checkpoints into our ongoing development cycle.” µ