Considering the business that Malwarebytes is in you can expect to see a lot of negative press about a gaping security hole in the near future and while there is a vulnerability it is not as bad as many will make it out to be. The issue lies in that signature updates are done over HTTP and are unsigned, very bad practice but something which would be exploited on a single client connection as opposed to something you could use to create a wide spread infection. The Register links to the Google Project Zero entry which was released today as the vulnerability was first reported to Malwarebytes 90 days ago and has not been addressed on the client side.
The actual concern you should have is that the original bug report also found vulnerabilities on the server side. Malwarebytes did correct the server side issues almost immediately but neglected to follow through on the client side. It is good of them to patch and offer bug bounties but a complete follow through is necessary if you are a security software peddler who wants their reputation to stay intact.
"The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. However, security holes remain in the client-side software that runs on people's Windows PCs."
Here is some more Tech News from around the web:
- Exascale project wants machine with TEN MEEELLION ARMS @ The Register
- Joysix, Six Degree of Freedom Mouse Made From Retractable Key Rings @ Hack a Day
- Intel, Qualcomm set up their WiGig 802.11ad devices on blind dates @ The Register
- MQTT: Building an Open Internet of Things @ Linux.com
- Build Your Swarm: Control Cockroaches for Under $30! @ Hack a Day
- Building Custom Appliances with SUSE Studio @ Linux.com
- Microsoft ships 6.0 million Surface tablets in 2015, say sources @ DigiTimes
- Ventec 3015+ Battery Pack/Wall Charger combo @ TechwareLabs
- Barracuda Networks Kills Copy & CudaDrive @ TechARP
- Auslogics Registry Cleaner Tutorial @ Hardware Secrets
- 2016 Samsung SUHD TV Models Revealed @ Tech ARP
I found the more disturbing
I found the more disturbing part of this situation to be the fact that significant issues have been found in software from several AV companies recently, and that those companies haven’t shown any apparent interest in fixing the root problems.