Thursday, February 11, 2016

Malwarebytes Scrambles to Plug Security Holes Pointed Out by Google Researcher

Times up

Malwarebytes

Googles Project Zero team doesnt mess around when it comes to security vulnerabilities—if it finds one thats noteworthy, it gives companies 90 days to fix the issue before going public. Surprisingly, one of the latest disclosures involved Malwarebytes, a popular anti-malware program.

No anti-malware program is perfect, though in our experience, Malwarebytes does a good job of detecting threats that other software solutions miss. Be that as it may, Google Project Researcher Tavis Ormandy discovered a few security holes in Malwarebytes that could leave users vulnerable to attack, The Register reports. He alerted the company back in November of last year, but since several of the security issues have gone unpatched, theyre now public.

One of the lingering issues is that Malwarebytes doesnt use a secure channel to deliver updates, nor are they signed, which leaves users open to man-in-the-middle attacks. And the other security holes could lead to things like remote code execution and trivial privilege escalation.

The good news is Malwarebytes isnt ignoring the threats, nor does it appear salty at Ormandy for pointing them out (companies *ahem* Microsoft *ahem* havent always been receptive of Project Zeros 90-day policy).

"In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware," Malwarebytes stated in a blog post. "Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity."

Malwarebytes doesnt necessarily agree with Project Zero and Ormandy regardaing the severity of the security holes, but it is concerned enough with the findings that its issuing fixes.

The company also announced a bug bounty program that will pay anywhere from $100 to $1,000 per qualifying bug, depending on the severity.

Follow Paul on Google+, Twitter, and Facebook



From maximumpc

, , , , , , , , , ,
Unknown

About Unknown

Author Description here.. Nulla sagittis convallis. Curabitur consequat. Quisque metus enim, venenatis fermentum, mollis in, porta et, nibh. Duis vulputate elit in elit. Mauris dictum libero id justo.

Subscribe to this Blog via Email :
© Copyright 2015 Cool Tech. Distributed by My Blogger Themes. Designed by Bloggertheme9.
Powered by Blogger.