Malwarebytes is rushing to plug security flaws in its software that allow miscreants to sling malware at its customers.
The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. However, security holes remain in the client-side software that runs on people's Windows PCs.
Malwarebytes updates are not signed or downloaded over a secure channel
Malwarebytes uses incorrect ACLs allowing trivial privilege escalation
TXTREPLACE rules are not context aware, allowing code inject
ACTIONs can result in remote code execution
http://www.theregister.co.uk/2016/02/02/malwarebytes_0day/
That's bad news. Malwarebytes is usually my first port of call if I think I've visited a dodgy website.
Should be a minor problem and fixed by the next update or so.
Quote from: Technical Ben on Feb 03, 2016, 12:03:45
Should be a minor problem and fixed by the next update or so.
Should not have been there in the first place...
Looks like if you are running the free version of malwarebytes it could be a month before its fixed. You cant turn on the defences to mitigate this flaw unless you use the paid version. I guess encrypting updates would have helped.
"Free users will simply have to wait the three or four weeks until the patch becomes available. If you're extremely paranoid — and you might be justified, since skilled coders will be able to reverse-engineer Ormandy's findings — you can eschew malware signature updates altogether during that time, although doing so would somewhat defeat the purpose of having an anti-malware program. Bear in mind that the free version of Malwarebytes Anti-Malware is not antivirus software, and does nothing to protect your computer from attack" "(
http://www.tomsguide.com/us/malwarebytes-security-flaw,news-22206.html