Malwarebytes starts 'Bug Bounty' program after discovery of vulnerabilities

Status
Not open for further replies.

kev216

Level 21
Verified
Trusted
Content Creator
Aug 6, 2014
1,042
Source: Malwarebytes Anti-Malware Vulnerability Disclosure

In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware.

Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity.

The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time.

However, this is of sufficient enough a concern that we are seeking to implement a fix. Consumers using the Premium version of Malwarebytes Anti-Malware should enable self-protection under settings to mitigate all of the reported vulnerabilities.

Unfortunately, vulnerabilities are the harsh reality of software development. In fact, this year alone, our researchers have found and reported several vulnerabilities with other software. A vulnerability disclosure program is one way to accelerate the discovery of these vulnerabilities and empower companies like Malwarebytes to fix them.

I’d like to take this opportunity to launch the Malwarebytes Bug Bounty program which I hope will encourage other security researchers to responsibly disclose vulnerabilities within Malwarebytes software.

I’d also like to take this opportunity to apologize. While these things happen, they shouldn’t happen to our users.

We are taking steps like the Bug Bounty program as well as building automatic vulnerability finding software to mitigate any potential for a future vulnerability. In addition, our engineers have used this discovery to create new processes and methodologies that will help us to continue to scrutinize our own code, identify any weak lines or processes and to build additional tests and checkpoints into our ongoing development cycle.

If you have any specific questions, feel free to e-mail secure@malwarebytes.org and we’ll get back to you.
 

jamescv7

Level 85
Verified
Trusted
Mar 15, 2011
13,084
Every company should have this bug bounty program, because it will not only just make more enthusiastic users to find holes but also learning a new curve of target attacks which can be use for reference basis.
 
  • Like
Reactions: kev216 and Rishi

Av Gurus

Level 29
Verified
Trusted
Malware Hunter
Sep 22, 2014
1,768
A recently disclosed vulnerability in Malwarebytes Anti-Malware (free, premium and enterprise) allows attackers to run man in the middle attacks against systems running the software.

Malwarebytes Anti-Malware is a popular second-opinion scanner, and the premium and enterprise editions of the program add real-time protection among other things to it which bring it more in line with traditional antivirus solutions.

The program is held in high regard by many for its malware detection and cleaning capabilities.

Google researcher Tavis Ormandy alerted Malwarebytes in early November 2015 to several security vulnerabilities that he found in Malwarebytes Anti-Malware.

malwarebytes-self-protection.jpg


Malwarebytes managed to patch several of these vulnerabilities server-side "within days", and is testing a new version of the client software internally which it plans to release in the next three to four weeks that patch the issue on the client side as well.

Ormandy discovered that the software fetches signature updates over http. While the data is encrypted, he discovered that it is easy enough for anyone to decrypt it using OpenSSL commands.

MalwareBytes fetches their signature updates over HTTP, permitting a man in the middle attack. The protocol involves downloading YAML files over HTTP for each update from http://data-cdn.mbamupdates.com. Although the YAML files include an MD5 checksum, as it's served over HTTP and not signed, an attacker can simply replace it.

Attackers have various options at their disposal to exploit the issue.

There are numerous simple ways to turn this into code execution, such as specifying a target file in the network configuration, writing a new TXTREPLACE rule to modify configuration files, or modifying a Registry Key with a REPLACE rule.

Malwarebytes confirmed the vulnerability publicly in a recent blog post revealing that it is working on a fix. The company announced the launch of the Malwarebytes Bug Bounty program offering cash bug bounties of up to $1000 for reported issues in the application.

Users who run the premium or enterprise version of the application can protect it by enabling the built-in self-protect module:
  1. Right-click on the Malwarebytes Anti-Malware icon in the system tray and select the open option from it.
  2. Switch to Settings > Advanced Settings.
  3. Check "Enable self-protection module" if it is not enabled already.
Google's Project Zero initiative revealed vulnerabilities in products by security companies such as AVG, Kaspersky, Sophos and TrendMicro in the past.

SOURCE: Security Issues in Malwarebytes Anti-Malware disclosed - gHacks Tech News
 

SloppyMcFloppy

New Member
Sep 12, 2015
617
I believe enable Malwarebytes self protection module is optional. I as myself never get infected so meh I just leave it alone.
 
  • Like
Reactions: kev216

Sana

Level 5
Verified
Dec 30, 2015
210
So, they came out and disclosed that there was something wrong. Then a customer complains about what am I paying for? Malwarebytes's response is :cool:

Untitled.png

snapped from: Malwarebytes Anti-Malware Vulnerability Disclosure

I definitely am glad that I bought a product from a company whose people stand for and believe in their products / services!
 
  • Like
Reactions: kev216
Status
Not open for further replies.
Top