Vulnerability Management

Malwarebytes says sorry for multiple AV bugs, still unpatched

Security firm Malwarebytes has owned up to several security flaws in its anti-virus software that are still three-to-four weeks away from being fixed.

Malwarebytes CEO Marcin Kieczynski has personally apologised to customers for the bugs, which allow attackers to insert their own code onto a targeted machine.

“I'd like to take this opportunity to apologise,” he said in a 1 February blog. “While these things happen, they shouldn't happen to our users.”

In response, Malwarebytes has also launched a bug bounty programme, offering white-hats a headline top prize of US$ 1,000 (£700) for any bugs they find, depending on their severity and exploitability.

Malwarebytes' problems are the latest in a series of AV product failings discovered by British security researcher Tavis Ormandy, from the Google Project Zero bug-hunting team.

Earlier this month, Ormandy revealed flaws in Trend Micro's AV software and has also recently found vulnerabilities in Kaspersky, ESET, FireEye and Avast security products.

Malwarebytes has owned up to its bugs ahead of a 90-day disclosure deadline imposed by Project Zero to push vendors to fix their software quickly – though it is still working to issue a patch.

The security firm gave little specific detail about the bugs, but Kieczynski said Ormandy alerted it In November “to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware.

“Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next three to four weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity.”

Kieczynski added: “The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time. However, this is of sufficient concern that we are seeking to implement a fix.”

Malwarebytes' admission, and the other recent AV product flaws, have been branded as “disappointing” by European cyber-security expert Brian Honan, head of Ireland's CSIRT and a special advisor on internet security to Europol.

He told SCMagazineUK.com: “All software has vulnerabilities, but we are entrusting the security of our systems to these vendors and we should have a higher level of expectation of the security built into their products. If you're buying a lock for your house, you'd hope that the locksmith had done a good job. Likewise with security software.”

He said: “The introduction of a bug bounty programme by Malwarebytes is welcome here. I would hope they're also looking at their internal process to ensure best practice for secure code development – and I hope all security vendors are looking at these issue in their competitors and doing their own review to ensure their products are as secure as they can be.”

Security and bug-bounty expert Ilia Kolochenko, CEO of High-Tech Bridge, was also critical. In an emailed comment to SCMagazineUK.com, he said: “Security companies should be more open and reactive when they receive information about vulnerabilities in their own software or products. Otherwise, they serve a bad example of risk management and incident handling.”

Kolochenko praised Malwarebytes' bug bounty scheme as “a tool to motivate security enthusiasts to find some flaws before black hats will”. But he added: “You should clearly understand that bug bounty is just an additional level of external testing, not a replacement of any security controls already in place.”

Meanwhile, Tavis Ormandy has said on Twitter that the security industry is “in denial” - and he was scathing of Trend Micro earlier this month when he reported a remote code execution flaw in its software.

In an exchange with Trend, Ormandy wrote: "I don't even know what to say - how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant? You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw-up after you get the remote code execution under control.”

Brian Honan advised: “As consumers, we need to make sure we are doing appropriate risk assessment and vendor security assessments of these products, and not just accept that because they're a security product by default they should be secure.”

Malwarebytes' bug bounty of up to US$ 1,000 (£700) is far below Microsoft's US$ 100,000 (£70,000) and Google's US$ 20,000 (£14,000) top prizes, but matches the rewards offered by security firms like AVG and Avast.

Some AV vendors like McAfee, Trend Micro and Symantec offer no cash incentives in their bug bounty schemes, while other security companies offer no bug bounty schemes at all, according to data from Bugcrowd, which tracks over 400 such programmes.

Malwarebytes also says it “reserves the right to increase this amount on a per case basis”.

Kieczynski said that as well as the bug bounty scheme, Malwarebytes is, “building automatic vulnerability-finding software to mitigate any potential for a future vulnerability” and has, “created new processes and methodologies that will help us to continue to scrutinise our own code and identify any weak lines or processes”.

The company is advising users of the Premium version of Malwarebytes Anti-Malware to “enable self-protection” under settings to mitigate all the reported vulnerabilities.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.