14 DAY TRIAL // Malwarebytes is in the last stages of deploying permanent patches to fix a series of security bugs reported to the company by Google Project Zero security researcher Tavis Ormandy.
Malwarebytes is a company most known for Malwarebytes Anti-Malware (MBAM), a Windows and Mac OS X security product that can identify, remove, and protect users against malware threats in real time.
Back in November 2015, the Malwarebytes team was contacted by Google's famed security researcher Tavis Ormandy, who informed the company about four pretty serious security issues with their flagship product.
Mr. Ormandy discovered that MBAM was downloading signature updates via HTTP and also not signing the updates, allowing basic MitM (Man-in-the-Middle) attacks to take place.
The researcher also pointed out that attackers could execute code on the user's machine using flaws in the TXTREPLACE and ACTION functions, and they could also leverage a local privilege escalation issue found in the engine's ACL (Access Control List) to grant themselves system-level permissions.
Following Mr. Ormandy's message, the Malwarebytes team promptly issued a hotfix in a couple of days and is now preparing to launch MBAM 2.2.1, which will fix these issues in their entirety.
Malwarebytes will pay between $100 and $1,000 per security bug
Besides patching their product, the Malwarebytes team has also decided that it's time for the company to accept outside help in managing their product's security.
For this, the firm's CEO, Marcin Kleczynski, has announced the founding of an official bug bounty program, which will help Malwarebytes keep their product bug-free, but will also reward third-party researchers that spend their time looking for security bugs.
Rewards will vary between $100 and $1,000 (€91 and €910) depending on each issue's severity, but security researchers that report lower-tier security bugs will also be eligible to receive some sort of Malwarebytes "swag."
"We are taking steps like the Bug Bounty program as well as building automatic vulnerability finding software to mitigate any potential for a future vulnerability," said Malwarebytes CEO, Mr. Kleczynski. "Our engineers have used this discovery to create new processes and methodologies that will help us to continue to scrutinize our own code, identify any weak lines or processes and to build additional tests and checkpoints into our ongoing development cycle."
In the meantime, users that are still running current or older versions of MBAM can protect themselves against attempts to exploit Ormandy's security bugs by turning on MBAM's "self-protection feature."