MBAM Vulnerability Disclosure Announced by MB

[997440]

Martin Kleczynski of MB on 2/1/16 :

In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware.

Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity......However, this is of sufficient enough a concern that we are seeking to implement a fix. Consumers using the Premium version of Malwarebytes Anti-Malware should enable self-protection under settings to mitigate all of the reported vulnerabilities.......

https://blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulnerability-disclosure/

 

[997440]

An update on this from a report posted on 2/2/16 by Tavis Ormandy, a member of the Google Security Research, Project Zero Team :

[[ This issue is a duplicate of issue 615 and issue 631, but with the hardcoded RC4 key censored. MalwareBytes are concerned that publishing the RC4 key could be damaging, and while I'm quite certain anyone interested in the key is capable of figuring it out, I agreed to censor it ]]

Malwarebytes updates are not signed or downloaded over a secure channel.
========================================================================


MalwareBytes fetches their signature updates over HTTP, permitting a man in the middle attack. The protocol involves downloading YAML files over HTTP for each update from httd://data-cdn.mbamupdates.com. Although the YAML files include an MD5 checksum, as it's served over HTTP and not signed, an attacker can simply replace it.....

^"p" changed to "d" by rshrugged to break link.
https://code.google.com/p/google-security-research/issues/detail?id=714