AV vendor Malwarebytes has claimed that vulnerabilities in its products discovered by Google’s Project Zero team back in early November will not be ready for another three or four weeks despite being made public.
CEO and founder of the company, Marcin Kleczynski, revealed in a blog post on Monday that it managed to plug several server-side holes alerted by well-known researcher Tavis Ormandy “within days.”
However, the client-side issues appear to be taking longer than expected, with Malwarebytes currently testing a new product version (2.2.1) which will be made available within a month to fix the vulnerabilities.
“The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time,” explained Kleczynski.
“However, this is of sufficient enough a concern that we are seeking to implement a fix. Consumers using the Premium version of Malwarebytes Anti-Malware should enable self-protection under settings to mitigate all of the reported vulnerabilities.”
The vendor is still triaging based on severity, he added.
Although Kleczynski fell short of providing more details about the flaws, they can be found on Google’s Security Research site.
The main issue seems to be that Malwarebytes updates aren’t signed or downloaded over a secure, encrypted channel, opening the door for Man in the Middle attacks.
“The protocol involves downloading YAML files over HTTP for each update from http://data-cdn.mbamupdates.com,” wrote Ormandy. “Although the YAML files include an MD5 checksum, as it's served over HTTP and not signed, an attacker can simply replace it.”
Kleczynski also took the opportunity to launch a new bug bounty program in a bid to encourage security researchers to disclose any future bugs in Malwarebytes products responsibly.
“We are taking steps like the Bug Bounty program as well as building automatic vulnerability finding software to mitigate any potential for a future vulnerability,” he explained.
“In addition, our engineers have used this discovery to create new processes and methodologies that will help us to continue to scrutinize our own code, identify any weak lines or processes and to build additional tests and checkpoints into our ongoing development cycle.”
Malwarebytes is by no means the first security vendor caught out by Ormandy – the list includes the likes of Trend Micro, FireEye and Kaspersky Lab, among others.
Project Zero has been criticized in some quarters for automatically publicizing the details of flaws it has brought to the attention of vendors after 90 days, even if they’ve failed to patch them.