security Malwarebytes neglected to patch a security hole their client, discovered by Project Zero

[zMeul]

source: https://code.google.com/p/google-security-research/issues/detail?id=714
via: http://www.theregister.co.uk/2016/02/02/malwarebytes_0day/

 

so, get this
Google has a project, called Project Zero, that searches for security holes in random software - if they find something, the developers of said software are informed and have 90 days to fix it or they go public with their findings

 

in this case, Malwarebytes's MBAM
Google Project Zero researcher Tavis Ormandy, wrote:

Quote

[[ This issue is a duplicate of issue 615 and issue 631, but with the hardcoded RC4 key censored. MalwareBytes are concerned that publishing the RC4 key could be damaging, and while I'm quite certain anyone interested in the key is capable of figuring it out, I agreed to censor it ]]

Malwarebytes updates are not signed or downloaded over a secure channel.
========================================================================

MalwareBytes fetches their signature updates over HTTP, permitting a man in the middle attack. The protocol involves downloading YAML files over HTTP for each update from http://data-cdn.mbamupdates.com. Although the YAML files include an MD5 checksum, as it's served over HTTP and not signed, an attacker can simply replace it.

It's possible the developer believed that an attacker cannot tamper with the data, as it's encrypted with the hardcoded RC4 key `████████████████████████████████` for configuration data, and `████████████████████████████████` for definitions. However, this is not the case. The following openssl commands can be used to decrypt, edit, and then re-encrypt the definitions and configuration data

 

...

 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

 

those 90 days passed and Malwarebytes only managed to fix the server side of the issue, thus the exploit was made public

 

in the meantime, Malwarebytes' CFO Marcin Kleczynski apologized in a blog post: https://blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulnerability-disclosure/
and to mitigate the damage to their image, Marcin Kleczynski announces a "bug" hunting program Malwarebytes Bug Bounty

 

---

 

Project Zero is a team of security analysts employed by Google, their job is to find zero-day exploits

the project was started in July 2014 after the discovery of notorious OpenSSL exploit "HeartBleed"

 

notable discovery by Project Zero:

in Sept 2014 the Project Zero team detected a security flaw within Windows 8.1, "NtApphelpCacheControl", which allows a normal user to gain admin access - MS was notified, but did not manage to issue a fix, thus making the vulnerability public: http://www.engadget.com/2015/01/02/google-posts-unpatched-microsoft-bug/

[SansVarnic]

Interesting. Google and their Project Zero again making enemies.

But good to know at least I guess.

[Master Disaster]

Wow, the best anti malware software available and they ignored a security hole in their own client? Pretty bad.

 

Are you drunk Zmuel? There's a lot of spelling errors in this post which is unlike you.

[vanished]

3 minutes ago, SansVarnic said:

Interesting. Google and their Project Zero again making enemies.

But good to know at least I guess.

Obviously they need to.  If someone regarded as one of the best out there has flaws that they will otherwise ignore, who knows what insane nonsense is going on behind the scenes at other places/programs?

[dragosudeki]

From the article, it doesn't sound like they completely ignored Google's warning before Google publicly disclosed the problem, but for some reason they didn't fix it fast (though I could be wrong). Malwarebytes has also put out that Bug Bounty program. Unfortunate that it isn't fixed, but seems like they're taking the necessary steps.

[zMeul]

9 minutes ago, dragosudeki said:

From the article, it doesn't sound like they completely ignored Google's warning before Google publicly disclosed the problem, but for some reason they didn't fix it fast (though I could be wrong). Malwarebytes has also put out that Bug Bounty program. Unfortunate that it isn't fixed, but seems like they're taking the necessary steps.

they gave them 90 to fix it or they would go public - they went public, meaning it wasn't fixed in those 90 days

this was clearly stated in the source material

[dragosudeki]

5 minutes ago, zMeul said:

they gave them 90 to fix it or they would go public - they went public, meaning it wasn't fixed in those 90 days

Not being fixed in 90 days does not imply they didn't work on it at all. In the article it stated, they fixed the server-side issues, but still needs to work on the client-side part (which is in the testing phase according to article). If they truly ignored the warning, they wouldn't have had any progress nor introduced the Bug Bounty program.

[zMeul]

8 minutes ago, dragosudeki said:

Not being fixed in 90 days does not imply they didn't work on it at all. In the article it stated, they fixed the server-side issues

yes, and I mentioned they only fixed the server side issue in those 90 days

if they were (or not) working on a client fix, doesn't matter - they did not met the 90d dead-line

 

quote from MBAM blog:

Quote

Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity.

the took only few days (less than a week I guess) to fix the server side but they need 90+ days to fix the client!? I call it bullcrap - it sounds to me that publication of the said exploit forced MBAM to start working on a client fix

[dragosudeki]

9 minutes ago, zMeul said:

yes, and and said they only fied the server side issue in those 90 days

if they were (or not) working on a client fix, doesn't matter - they did not met the 90d dead-line

It actually does matter. How can they 'neglect' a security issue that they were obviously working on. Neglect and not reaching a deadline are completely different situations. Additionally, in their blog post, the writer actually offered to give refunds for the time that the vulnerability was found till it is fixed (though I wouldn't be able to confirm whether such refunds were given). It is a shame they didn't fix it in time, but they are definitely doing what they can.

[zMeul]

7 minutes ago, dragosudeki said:

It actually does matter. How can they 'neglect' a security issue that they were obviously working on. Neglect and not reaching a deadline are completely different situations. Additionally, in their blog post, the writer actually offered to give refunds for the time that the vulnerability was found till it is fixed (though I wouldn't be able to confirm whether such refunds were given). It is a shame they didn't fix it in time, but they are definitely doing what they can.

mate, cut the crap

as I said: they fixed the server side in days but they need additional 3-4 weeks, on top of those 90 days, to issue a client fix?!

 

the refunds for this should've happened 90 days ago, not when Project Zero published the exploit

[sof006]

Good. I am glad Google is calling out companies on their sloppy practices. I am a user of Malwarebytes security on my PC and would like it if they didn't subject my PC to a man in the middle attack. Chop chop, malwarebytes. You've got work to do. 

[Demonking]

This some bull shit. They better fixed this matter of fact it should've been fixed a long time ago.