Antivirus again at gunpoint: Malwarebytes found critical vulnerabilities

Malwarebytes is working to fix serious vulnerabilities in its anti-virus product. Errors found an expert from the team of Google Project Zero Tevis Ormandy.

A security researcher was able to find out that Malwarebytes Antivirus product updates were not signed with the company's digital signature and downloaded via an unprotected HTTP connection. All this makes antivirus users susceptible to attacks such as Man-In-The-Middle - attackers could easily replace service packs.
')
Vulnerabilities were discovered in November 2015. However, Malwarebytes employees did not have 90 days to correct security holes in their product, so Google researcher Tavis Ormandy published information about them on his blog.

According to him, the update process of the Malwarebytes antivirus includes downloading of YAML files. Despite the fact that these files contain an MD5 checksum, their transfer using an unsecured HTTP connection allows an attacker to easily swap files.

Ormandy assumes that the antivirus developers were sure that the attackers would not be able to intercept the data anyway, since they were encrypted using the RC4 key in the code. However, we managed to do this with a simple OpenSSL command.

Ormandy also found incorrectly compiled antivirus checklists (ACLs) of the antivirus - this allows for elevation of privileges. By default, all users of the anti-virus are allowed to modify and create files in the directory where the Malwarebytes Antivirus configuration is stored. This gives attackers the ability to carry out attacks related to remote code execution on the victim's machine.

Malwarebytes manager Marcin Kleczynski confirmed the information about the detection of vulnerabilities and reported that the company had difficulties that did not allow them to be fixed in 90 days. According to the top manager, the company was able to fix several of the errors found on the server side and is now engaged in internal testing of the new version of the antivirus. In addition, Kleschinski said that according to his data, with the help of vulnerabilities discovered by Ormandy, attackers could not conduct mass attacks on Malwerabytes Antivirus users. They can only “attack one car at a time”.

Over the past year, this is not the first case of detecting serious vulnerabilities in security software and attacks against antivirus companies. In June 2015, the media got information that British and American intelligence agencies were looking for vulnerabilities in Kaspersky Lab products. At about the same time, researchers at Google Project Zero talked about a serious vulnerability in ESET NOD32 Antivirus, which allowed an attacker to read, modify, and delete any files on computers that have antivirus installed.

In the summer of the same year, it became known that Symantec Endpoint Protection detected a number of serious vulnerabilities that allowed attackers to bypass authentication, privilege escalation, read and write files, as well as SQL injection. In addition, almost at the same time, it was announced that BitDefendet, an antivirus company, was the victim of a hacker attack, as a result of which user passwords were stolen - a special resonance was caused by the fact that they were stored in clear form.

Later in the fall of 2015, serious security bugs were discovered in the TrueCrypt cryptosofert, and several months later, in December of the same year, critical vulnerabilities were also found in Avast antivirus.

In addition, last fall, security researcher Mazin Ahmed published a study in which he was able to detect XSS vulnerabilities in several popular firewalls at once. We checked the PT Application Firewall 's self-learning firewall for exposure to the protection rounds described in the work — all of the presented rounds were blocked by the screen.