![]() Malwarebytes wouldn't go into the specifics of the remaining vulnerabilities, although all the details are on the Google Project Zero site – minus the hardcoded RC4 key that Ormandy says capable bods can figure out themselves. Ormandy, a top ninja in the Google Project Zero bug-hunting team, has carved out a niche in exposing the security shortcomings of anti-virus products, in software from Trend Micro, ESET, FireEye, Kaspersky and Avast security products. Consumers using the Premium version of Malwarebytes Anti-Malware should enable self-protection under settings to mitigate all of the reported vulnerabilities. However, this is of sufficient enough a concern that we are seeking to implement a fix. Based on the findings, we believe that this could only be done by targeting one machine at a time. The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. At this time, we are still triaging based on severity. Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities. Ignore list for both the scanner and Protection Module. Quarantine to hold threats and restore them at your convenience. (requires registration) Database updates released at least once every two days. In a blog post on Monday, Malwarebytes chief exec Marcin Kleczynski apologized for the evidently hard-to-eradicate programming blunders: Malwarebytes Anti-Malware Protection Module. ACTIONs can result in remote code execution.TXTREPLACE rules are not context aware, allowing code inject.Malwarebytes uses incorrect ACLs allowing trivial privilege escalation.Malwarebytes updates are not signed or downloaded over a secure channel.Time's up for Malwarebytes, so now miscreants can start to exploit the reported vulnerabilities: Chocolatey is trusted by businesses to manage software deployments. Chocolatey integrates w/SCCM, Puppet, Chef, etc. ![]() Project Zero gives vendors 90 days to fix their broken software before they go fully public. Chocolatey is software management automation for Windows that wraps installers, executables, zips, and scripts into compiled packages. These latter vulnerabilities may take up to three weeks to fix and release, although Ormandy has already gone public with details of the holes. ![]() However, security holes remain in the client-side software that runs on people's Windows PCs. The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. Malwarebytes is rushing to plug security flaws in its software that allow miscreants to sling malware at its customers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |