Google’s Project Zero gives Malwarebytes a kicking
GOOGLE’S SECURITY street gang Project Zero has been kicking sand in the face of Malwarebytes and picking the firm’s protection precautions apart.
Malwarebytes usually wears the boot in this kind of thing, but Project Zero has taken a punt in the security firm’s direction and accused it of all sorts of bad things.
This is not the first time that Project Zero has pointed fingers, as the gang only recently made Microsoft, FireEye and Trend Micro look bad.
Malwarebytes has “multiple security issues” that can open users to man-in-the-middle attacks and other things that you might choose to avoid, according to aProject Zero report from researcher Tavis Ormandy.
The post said that the problem has been fixed, but a lot of the details have been redacted which, of course, makes things more interesting.
Ormandy claimed that Google told the firm about the problem last year, and gave it 90 days before getting the sandwich board out and marching round the community.
“Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack. The protocol involves downloading YAML files over HTTP for each update from http://data-cdn.mbamupdates.com. Although the YAML files include an MD5 checksum, as it’s served over HTTP and not signed an attacker can simply replace it,” he wrote.
“It’s possible the developer believed that an attacker cannot tamper with the data as it’s encrypted with the hardcoded RC4 key [redacted] for configuration data, and [redacted] for definitions. However, this is not the case. Openssl commands can be used to decrypt, edit and then re-encrypt the definitions and configuration data.”
We have asked Malwarebytes to talk about this, and are waiting for a response. It was only last week that the firm proudly announced a bug bounty reward programme which, presumably, will pay for itself.
source:www.theinquirer.net