Malwarebytes Starts Bug Bounty Program Following Recent Security Bugs

February 3, 2016

Rewards will vary from $100 to $1,000 per bug

Malwarebytes is in the last stages of deploying permanent patches to fix a series of security bugs reported to the company by Google Project Zero security researcher Tavis Ormandy.

Malwarebytes is the company that's most known for Malwarebytes Anti-Malware (MBAM), a Windows and Mac OS X security product that can identify, remove, and protect users in real-time against malware threats.

Back in November 2015, the Malwarebytes team was contacted by Google's famed security researcher, Tavis Ormandy, who informed the company about four pretty serious security issues with their flagship product.

Mr. Ormandy discovered that MBAM was downloading signature updates via HTTP, and also not signing the updates, allowing for basic MitM (Man-in-the-Middle) attacks to take place.

The researcher also pointed out that attackers could execute code on the user's machine using flaws in the TXTREPLACE and ACTION functions, and also leverage a local privilege escalation issue found in the engine's ACL (Access Control List) to grant themselves system-level permissions.

Following Mr. Ormandy's message, the Malwarebytes team promptly issued a hotfix in a couple of days and is now preparing to launch MBAM 2.2.1, which will fix these issues in their entirety.

Malwarebytes will pay between $100 and $1,000 per security bug

Besides patching their product, the Malwarebytes team has also decided that it's time for the company to accept outside help in managing their product's security.

For this, the firm's CEO, Marcin Kleczynski, has announced the founding of an official bug bounty program, which will help Malwarebytes keep their product bug-free, but will also reward third-party researchers that spend their time looking for security bugs.

Rewards will vary between $100 and $1,000 (€91 and €910) depending on each issue's severity, but security researchers that report lower-tier security bugs will also be eligible to receive some sort of Malwarebytes "swag."

"We are taking steps like the Bug Bounty program as well as building automatic vulnerability finding software to mitigate any potential for a future vulnerability," said Malwarebytes CEO, Mr. Kleczynski. "Our engineers have used this discovery to create new processes and methodologies that will help us to continue to scrutinize our own code, identify any weak lines or processes and to build additional tests and checkpoints into our ongoing development cycle."

In the meantime, users that are still running current or older versions of MBAM can protect themselves against attempts to exploit Ormandy's security bugs by turning on MBAM's "self-protection feature."

Article source

February 3, 2016

Malwarebytes will pay between $100 and $1,000 per security bug

Besides patching their product, the Malwarebytes team has also decided that it's time for the company to accept outside help in managing their product's security.

For this, the firm's CEO, Marcin Kleczynski, has announced the founding of an official bug bounty program, which will help Malwarebytes keep their product bug-free, but will also reward third-party researchers that spend their time looking for security bugs.

all my time is on now on security so ill be rich

ps this isy i use malwarebytes

February 4, 2016

Quote

Malwarebytes hardly working to fix flaws in its antivirus

The Antivirus firm Malwarebytes is spending a significant effort to fix serious vulnerabilities in its defense solution that was reported by the experts at the Google’s Project Zero team.

The experts at Project Zero discovered that updates for Malwarebytes Antivirus were not digitally signed or downloaded over a secure HTTP connection, opening the user to Man-In-The-Middle attacks. An attacker could manipulate the updates hacking the Antivirus solutions.

Google Project Zero reported the vulnerabilities to Malwarebytes in November, waiting for 90 days before publicly disclosing the vulnerability.

The experts at Malwarebytes were not able to solve the problem in the 90-day period, so the researcher Tavis Ormandy published the details of the security issue.

“Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack,” he explained in a blog post.

“Therefore, this scheme is not sufficient to prevent tampering, and the developer should sign them. There are numerous simple ways to turn this into code execution, such as specifying a target file in the network configuration, writing a new TXTREPLACE rule to modify configuration files, or modifying a registry key with a REPLACE rule.”

The Chief executive at MalwareBytes, Marcin Kleczynski, admitted the difficulties in solving the problem, preannouncing many other weeks to fix the problem.

“In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware. Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity.” he said in a blog post. The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time.” .

Kleczynski took the opportunity to launch the Malwarebytes Bug Bounty program which will help the company to early discover any flaw in their software and to “encourage other security researchers to responsibly disclose vulnerabilities in Malwarebytes software.”

“I’d also like to take this opportunity to apologise. While these things happen, they shouldn’t happen to our users.”

http://securityaffairs.co/wordpress/44226/hacking/malwarebytes-antivirus-flaw.html

February 5, 2016

Google lays bare security flaws in anti-malware products

Google lays bare security flaws in anti-malware product with 250 million users

Malwarebytes says it will take about a month to deploy a patch to fix vulnerabilities found by Google's Project Zero bug hunters.

Malwarebytes says it could take three to four weeks to fix security flaws found by Google in its popular anti-malware product .

Google's bug-hunting squad, Project Zero, first notified the internet-security firm of the four vulnerabilities in November but on Tuesday went ahead and detailed the separate flaws and attack methods in a redacted report published on the group's bug repository.

How malware writers' laziness is helping one startup predict attacks before they even happen
Siemens is impressed at what Israeli security startups CyActive can do – developing ways of mitigating attacks before they can take place.

Project Zero researcher Tavis Ormandy found that the Malwarebytes client was fetching malware signature updates over unencrypted HTTP, leaving those definitions open to tampering in a man-in-the-middle attack.

The researcher only probed Malwarebyte's consumer edition. However, the bugs also affect the company's premium product.

Marcin Kleczynski, CEO and founder of Malwarebytes, said enabling 'self-protection' under settings should mitigate the problem while it works on a proper fix.

Malwarebytes recently noted that its software was running on 250 million machines worldwide.

Project Zero offers vendors 90 days to fix flaws and alert customers before publishing details of bugs its researchers have found. Malwarebytes appears to have been given an extension, with its grace period technically having expired on January 11.

Kleczynski apologized to users for the flaws and, in response to Ormandy's efforts, has launched a bug-bounty program, offering up to $1,000 to researchers who report flaws in its products.

"Unfortunately, vulnerabilities are the harsh reality of software development," Kleczynski said. "A vulnerability disclosure program is one way to accelerate the discovery of these vulnerabilities and empower companies like Malwarebytes to fix them."

Bugs in security products do pose a unique threat to users due to the sensitive permissions they have.

They have also come under the spotlight following a report by The Intercept that Britain's GCHQ had sought a warrant to probe Kaspersky antivirus for security flaws to aid its own hacking efforts.

The NSA has also taken a keen interest in non-US antivirus products, including Kaspersky, ESET, and F-Secure.

Malwarebytes anti-malware is the latest security software to be lanced by Ormandy, who has found serious flaws in products from AVG, Kaspersky, FireEye, Trend Micro, ESET, Sophos, and most recently in Comodo's Chromodo Chrome fork.

In all cases, products that are designed to protect users from threats exposed them to further risks through insecure code.

http://www.zdnet.com/article/google-lays-bare-security-flaws-in-anti-malware-product-with-250-million-users/
Malwarebytes still fixing flaws in antivirus software

Malwarebytes said it could take three of four weeks to fix flaws in its consumer product that were found by a Google security researcher.

The company has fixed several server-side vulnerabilities but is still testing a new version of its Anti-Malware product to fix client-side problems, CEO Marcin Kleczynski said in a blog post.

In the meantime, customers can implement a workaround: those using the premium version of Anti-Malware "should enable self-protection under settings to mitigate all of the reported vulnerabilities," he wrote.

Kleczynski apologized, saying vulnerabilities are a reality that come with software development. "While these things happen, they shouldn’t happen to our users," he wrote.

Google researcher Tavis Ormandy uncovered several issues with the Anti-Malware product, including that it doesn't use encryption when downloading fresh signatures.

That opens the possibility for a man-in-the-middle attack, Ormandy said in an advisory. An attacker could potentially replace the signature file.

Ormandy also found three other issues, including a privilege escalation flaw.

He reported the flaws to Malwarebytes in November and gave the company 90 days to fix them before going public.

Ormandy has been analyzing quite a few security products lately and finding alarming problems. Last month, he found a problem in Trend Micro's antivirus software that could be used to steal stored passwords.

Vulnerabilities in security products are especially dangerous since they often have deep access to a computer's operating system.

Dozens of serious vulnerabilities were found last year in antivirus products from vendors including Kaspersky Lab, ESET, Avast, AVG Technologies and Intel Security (formerly McAfee). Security experts have warned for years that flaws in endpoint protection products pose a big risk.

http://www.pcworld.com/article/3029314/security/malwarebytes-still-fixing-flaws-in-antivirus-software.html

February 5, 2016

Thread has been merged.

February 8, 2016

The company apologized, saying vulnerabilities are a reality of software development, Malwarebytes still fixing flaws in antivirus software.

Malwarebytes said it could take three or four weeks to fix flaws in its consumer product that were found by a Google security researcher.

The company has fixed several server-side vulnerabilities but is still testing a new version of its Anti-Malware product to fix client-side problems, CEO Marcin Kleczynski said in a blog post.

In the meantime, customers can implement a workaround: Those using the premium version of Anti-Malware "should enable self-protection under settings to mitigate all of the reported vulnerabilities," he wrote.