Malwarebytes Anti-Malware vulnerability disclosure

Posted: February 1, 2016 by Marcin Kleczynski
Last updated: September 29, 2017

In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware.

Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity.

The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time.

However, this is of sufficient enough a concern that we are seeking to implement a fix. Consumers using the Premium version of Malwarebytes Anti-Malware should enable self-protection under settings to mitigate all of the reported vulnerabilities.

Unfortunately, vulnerabilities are the harsh reality of software development. In fact, this year alone, our researchers have found and reported several vulnerabilities with other software. A vulnerability disclosure program is one way to accelerate the discovery of these vulnerabilities and empower companies like Malwarebytes to fix them.

I’d like to take this opportunity to launch the Malwarebytes Bug Bounty program which I hope will encourage other security researchers to responsibly disclose vulnerabilities within Malwarebytes software.

I’d also like to take this opportunity to apologize. While these things happen, they shouldn’t happen to our users.

We are taking steps like the Bug Bounty program as well as building automatic vulnerability finding software to mitigate any potential for a future vulnerability. In addition, our engineers have used this discovery to create new processes and methodologies that will help us to continue to scrutinize our own code, identify any weak lines or processes and to build additional tests and checkpoints into our ongoing development cycle.

If you would like to report anything, please e-mail bug-bounty@malwarebytes.com and we’ll get back to you.

Marcin

COMMENTS

Adrian Tomas

Keep up the great work!
Benjamin Oslund

This is exactly why I love Malwarebytes, they fix any issues they find, and improve there apps greatly with every update.
Nicholas Staines

Well I’m taking that advice. Enabling self protection on my M.B.A.M.P. This why like you guys. Not ashamed to say your software isn’t perfect, but also make even greater!
Pingback: Onderzoeker vindt beveiligingsgaten in Malwarebytes Anti-Malware | Infosecurity Magazine()
Hurricane Andrew

Thank you so doing the responsible thing, providing public notification and taking vulnerabilities seriously. The only furthers my faith in and respect for Malwarebytes.
Pingback: 2 – Malwarebytes Anti-Malware Vulnerability Disclosure()
foxman751

new version form Malwarebytes Anti-Malware (2.2.1 will have behavior or not ?
davidm

Presumably as we are now in early February, that means that you will be refunding us all for the 3 months (4 til you fix it by the sound of it) of premium service that we have paid for when the software is not safe?
Marcin Kleczynski

David, happy to refund you the full amount of the software. Shoot me an e-mail, mkleczynski@malwarebytes.org.
Willem_van_Brinkstaete

First of all, kudos for the upfront communication.
One question though.
As you write, MBAM’s own researchers have found vulns in other software while Ormandy found vulns in MBAM (among other software).
How come, your own researchers have (seemingly) overlooked the vulns found by Ormandy?
I’d assume they have much more time and inclination to find such vulns than Ormandy.
Or is Ormandy simply a ‘vulns-genius’?
Marcin Kleczynski

Great question and the honest answer is we should be looking at ourselves before we look at others. Our research team is going to focus a lot more on Malwarebytes software.
Pingback: Malwarebytes Warns Users On Security Bug In Its Own Anti-Malware Software | Lifehacker Australia()
Pingback: Malwarebytes still fixing flaws in antivirus software – Hack Space()
Pingback: Malwarebytes still fixing flaws in antivirus software | Trenzio TechWorld()
foxman751

new version form Malwarebytes Anti-Malware (2.2.1 will have behavior or not ?
Pingback: Malwarebytes still fixing flaws in antivirus software | Antivirus and Security news()
Pingback: ste williams – Google ninjas go public with security holes in Malwarebytes antivirus()
Drew Winters

No software is perfect. Anyone who tries to sell you that idea is downright lying. Having said that, MBAM is one of my favourite programs. The fact that it was victim of vulnerabilities will not change the fact that I will continue to like and use the program. However, it is in these times that one must remember to always have layering, even in home PCs. Firewall, backups, instant restore software (Rollback Rx) are crucial.
Pingback: Malwarebytes still fixing flaws in antivirus software | Complete IT News Portal()
Pingback: Malwarebytes still fixing flaws in antivirus software | Misagh Navazeni()
Pingback: Malwarebytes still fixing flaws in antivirus software | Ian Young's Blog()
Pingback: Malwarebytes still fixing flaws in antivirus software - News Press()
Pingback: Malwarebytes still fixing flaws in antivirus software | Templar Shield()
Pingback: Malwarebytes still fixing flaws in antivirus software-IT大道()
Pingback: Malwarebytes still fixing flaws in antivirus software - Micro Penguin()
Pingback: Malwarebytes still fixing flaws in antivirus software | Tech News - Latest Tech, Gadgets & Science()
Pingback: Revelation of security bugs jumpstarts launch of Malwarebytes' bug bounty program | OSINFO()
Pingback: Malwarebytes still fixing flaws in antivirus software – CTS()
Pingback: Malwarebytes Anti-Malware Vulnerability Disclosure – Pingie()
Pingback: Google's Project Zero Outs Malwarebytes Update Flaw | Digital Trends()
Pingback: Vulnerabilities found in Malwarebytes Anti-Malware | My Blog()
Pingback: Security Issues in Malwarebytes Anti-Malware disclosed - gHacks Tech News()
Pingback: Google's project Zero | Malwarebytes provides poor update security - Let Us Tweak()
Pingback: Use Malwarebytes antivirus? Then you must see what Google has found… – NaijaKonnect.com – Start, learn, run and grow your business.()
Pingback: Use Malwarebytes antivirus? Then you must see what Google has found… - Gadget Interest()
Pingback: Security Issues in Malwarebytes Anti-Malware disclosed | vpsdash()
Pingback: Use Malwarebytes antivirus? Then you must see what Google has found… - Tech News and Reviews()
Pingback: Use Malwarebytes antivirus? Then you should see what Google has found – DailyITfix.com- Get Your Geek Fix()
Pingback: Use Malwarebytes antivirus? Then you must see what Google has found… |()
Pingback: Use Malwarebytes antivirus? Then you must see what Google has found… | Tech tech.yuvesti.org()
Pingback: Use Malwarebytes antivirus? Then you must see what Google has found… | World News()
Pingback: Use Malwarebytes antivirus? Then you must see what Google has found… | RN()
Pingback: Use Malwarebytes antivirus? Then you should see what Google has found | Malaysia Marketing Community()
Pingback: Use Malwarebytes antivirus? Then you should see what Google has found | Tech tech.yuvesti.org()
Pingback: Use Malwarebytes antivirus? Then you must see what Google has found… - 3Tech | Tech news and Reviews()
Pingback: Use Malwarebytes antivirus? Then you should see what Google has found - X Tech News()
Pingback: Use Malwarebytes antivirus? Then you must see what Google has found… | ALBATARNI()
Pingback: Use Malwarebytes antivirus? Then you must see what Google has found… | Letters From Thailand()
Michel Sup

Ho my… Would you ask Microsoft’s CEO a refund for selling you a (potentially) vulnerable OS to start with? Not to mention the dozen of paid software patched every month or so for security reasons you might use as a daily basis?
If you had been infected, I could understand you asked for compensation. I believe you are just procedural. (Not to say mean)
Pingback: Use Malwarebytes antivirus? Then you should see what Google has found – NaijaKonnect.com – Start, learn, run and grow your business.()
Pingback: Google engineer finds holes in three ‘secure’ browsers – ○○○○●○○○()
Pingback: Google engineer finds holes in three 'secure' browsers | KnowNaija()
Pingback: Google engineer finds holes in three 'secure' browsers - SOGO Tech News()
Pingback: Engadget - Legitimate Work at Home Jobs & Opportunities()
Pingback: Google engineer finds holes in three ‘secure’ browsers | Article Showcase()
Pingback: Malwarebytes is facing problems to fix flaws in its antivirusSecurity Affairs()
Pingback: Use Malwarebytes antivirus? Then you should see what Google has found | Gadgets.Menghoe.net()
Pingback: Malwarebytes hardly working to fix flaws in its antivirus - Systerity()
Pingback: News Spectral » Google engineer finds holes in three ‘secure’ browsers()
Pingback: Malwarebytes hardly working to fix flaws in its antivirus | Tailor Technology()
Pingback: Malwarebytes still fixing flaws in antivirus software – Technewsnow.Today()
Pingback: Google tacle les éditeurs antivirus ayant créé des forks de Chromium – JDCHASTA SAS()
Pingback: Google engineer finds security holes in three ‘secure’ browsers from Anti-virus makers -()
Pingback: Malwarebytes Announces Upcoming Security Update / Bug Bounty Programme | securityinaction()
Jim

I guess the difference is MBAM is explicitly written and purchased to defend against Malware. A Microsoft/Apple/Linux OS is built to do many things so the two can’t really be compared.

It’s good to see Malwarebytes responding – however it seems to being kept as quiet as possible – unlike someone such as LastPass who very publically admit to issues, and fix them a lot faster.
Pingback: IT Security Stories to Watch: Was UCF’s Network Compromised? | News4Security()
Pingback: Spectral Security » Google engineer finds holes in three ‘secure’ browsers()
Michel Sup

If you are a little bit concerned by security to read such a blog, I guess you are aware that there is no security, you can just mitigate the risks. Obviously a relative cheap piece of software like MBAM is at risk as well, like the more pricey Juniper routers and other brands firewalls.
I do not discuss the way Malwarebytes has handled the issue. We comment a post on their blog stating the problem, so it’s not that bad.
I’m more concerned by their code review policies to remove vulnerabilities. How can they spend ressources checking other companies software when they can’t handle their own code ?
And even more concerning, how did they managed to leave these vulnerabilities open for 4 months ? Do a mistake can be understood. Do nothing to correct it is just… lame?
Pingback: A Week in Security (Jan 31 – Feb 6) | Malwarebytes Unpacked()
Pingback: Use Malwarebytes antivirus? Then you should see what Google has found | Tech Mash News()
Judy Clark Killmer

Does my paid version of Malwarebytes have this security concern, or just the free version?
Pingback: FREE SOFTWARE HAS MAJOR SECURITY FLAWS – TigersLoft Blog()
Peach Drinkwater

there the same program one just has more features then the other so yes they would have these bugs but i am sure they are fixed now or at least for the most part
Judy Clark Killmer

Not quite the reassurance I was hoping for in terms of whether or not the issue has been resolved. I’ll try to reach Malwarebytes for confirmation. Thanks for trying!
Peach Drinkwater

well by now i am sure it has been resolved since malwarebytes is pretty good about patching there systems
Thorsten Behrens

Your paid version has this concern, however, you can mitigate. That’s nerd-speak for “while the underlying vulnerability hasn’t been fixed it can’t be exploited.” To mitigate, go into Settings, Advanced Settings, and check “Enable self-protection module” and “Enable self-protection early start”. I do believe you need the Pro version to use that feature.

Version 2.2.1 is expected to fix these bugs, sometime March. It’s a good idea to have Malwarebytes protect itself, at any rate, even when these are fixed.
Judy Clark Killmer

Thank you, Thorsten. MalwareBytes had already e-mailed me back with this information, and I DO have the Pro version. They said I should keep that setting even after the “fix” is released. Your information was spot on!
Alexander G. Riccio

I’m curious, why/how does the self-protection module mitigate these vulnerabilities? What does it actually do?
Darth Vitrial

Any idea when this new build will be released?
ANONymousPatriot

You ever going to release this fix or should I start looking for another program that won’t let me be exploited? “No software is perfect” but you said you were gonna fix it in 2-3 weeks not 2-3 months.
Jon Bartus

The article you linked was from 2 days after this article was posted, they said 3-4 weeks, read FFS. By the time you posted, if you’d found a contemporary article instead of linking a then-month-old article, you might have been correct, but as it stands… >.<
Jon Bartus

LastPass is a considerably simpler piece of software.
Brian Gregory

In my case it causes my PC to become unstable.
Peach Drinkwater

your welcome

RELATED ARTICLES

CEO announcements | Malwarebytes news

Welcome to Malwarebytes Unpacked

April 20, 2012 - Malwarebytes was founded with the community in mind. Facebook, Twitter, our forums, and countless other outlets have allowed us to communicate with you, our community. We felt a major piece was missing. Welcome to Malwarebytes Unpacked. Malwarebytes Unpacked is the official Malwarebytes blog providing you with the latest exciting news and cutting edge research directly...

CONTINUE READING 6 Comments

CEO announcements | Malwarebytes news

Yesterday’s Database Update Issue

April 16, 2013 - It saddens me to report that at around 3 PM PST yesterday, Malwarebytes released a definitions update that disabled thousands of computers worldwide. Within 8 minutes, the update was pulled from our servers. Immediately thereafter, users flocked to our support helpdesk and forums to ask us for a fix. I want to offer my sincere...

CONTINUE READING 6 Comments

CEO announcements | Malwarebytes news

Improvements to our Updating Process

April 18, 2013 - It’s been a rough week here at Malwarebytes, and I’m sure for many of you as well. We’ve spent the entire week focused on supporting the users affected by Monday’s false positive, as well as implementing systems to prevent this type of problem from ever happening again. If you have not yet received help, please route...

CONTINUE READING 2 Comments

CEO announcements | Malwarebytes news

Vulnerability Bounty Hunting In Action

July 23, 2013 - Last week, security researcher Roy Castillo posted a recount of interactions with Facebook about a bug that he had found. Will bug bounty hunting become the norm?

CONTINUE READING No Comments

CEO announcements | Malwarebytes news

Malwarebytes Adopts Aggressive PUP Policy

July 26, 2013 - Malwarebytes Anti-Malware previously detected only harmful or deceiving PUPs. Today, We're revising our policy to include PUPs that our users find annoying or misleading.

CONTINUE READING 12 Comments

ABOUT THE AUTHOR

Marcin Kleczynski
CEO and Co-Founder of Malwarebytes

Likes long walks on the beach and hates fish.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

SEARCH LABS

TOP POSTS

Malwarebytes Anti-Malware vulnerability disclosure

Welcome to Malwarebytes Unpacked

Yesterday’s Database Update Issue

Improvements to our Updating Process

Vulnerability Bounty Hunting In Action

Malwarebytes Adopts Aggressive PUP Policy

Cybersecurity info you can’t do without