Malwarebytes flaws that were detected back in November of 2015 are still being fixed. It was reported back then that the updates were not coming through a secure HTTP channel. This is a big hole to hackers who can get between the client and the Malwarebytes’ server.
This flaw came out in the public via a posting by Google that said, “Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack”.
Malwarebytes is well past the 90-day deadline by which it was supposed the fix the flaw, and chief executive Marcin Kleczynski admitted that it will take several more weeks to fix the problem.
“Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next three to four weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity,” he said in a blog post.
Looks like Malwarebytes has been tainted a bit by the revelation of the flaw by Google and the CEO of Malwarebytes soon after launched the Malwarebytes Bug Bounty scheme which he hopes will encourage people to be more responsible when announcing such types of flaws. Experts have said that going public with flaws in Malwarebytes will hurt more than help. Hackers of course get notified immediately and can exploit the systems.
“The controversy around Project Zero began in December when Google publically disclosed an obscure flaw in Windows 8.1’s NtApphelpCacheControl that could theoretically be exploited, with difficulty, by hackers.
The move caused ripples in the security community as Microsoft claims that it had responded to Google’s private disclosure in September and asked the firm to delay the public report so that it could release a fix as a part of the January security update, which it did.”
Read more about this here.