Free Software Has Major Security Flaws

Malwarebytes Experiences Major Security Flaws

Google’s research team recently uncovered a huge security hole in a free security software program that you have probably heard of, Malwarebytes.  Reasearcher, Travis Ormandy took note of the program getting its virus definition updates over an unencrypted Internet connection.  So what does this mean?  Essentially, hackers can trick the program into ignoring certain malicious files, or could secretly place their code into the program.

Malwarebytes is currently addressing the issue; however they did report it will take three to four weeks to fully resolve the problem.  Until the issue is fully resolved, it is encourage users implement the “self-protection” setting.  With the news of these security flaws, Malwarebytes is creating an internal “bug bounty” program.  This program is designed to help identify security issues, in hopes to address any flaws in a more timely manner.

Sources:

http://www.komando.com/happening-now/346105/this-one-security-program-has-serious-unfixed-bugs

https://community.spiceworks.com/topic/1423558-malwarebytes-publicly-confirms-security-holes-in-its-anti-malware-software

https://blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulnerability-disclosure/

http://www.maximumpc.com/malwarebytes-scrambles-to-plug-security-holes-pointed-out-by-google-researcher/

 

143 total views, 1 views today

(Visited 48 times, 1 visits today)

32 thoughts on “Free Software Has Major Security Flaws

  1. @Randy, Thanks for your tip. There was a time when my laptop Dvd rom failed to respond to the repair disk, backup and restore totally disabled in the control panel click on it freezes the entire pc. Lucky for me, Asus laptop has a oneclick factory windows7 installation program, so i tap on F9 key to activate this installation. Everything went nicely no glitches what so ever and i found myself back in the year 2011 everything works normally, like bsod never existed. Since the cpu back in shape i wanted to know the root cause and installed a backup image that i saved in an external disk 5 month before the actual bsod took place. So far so good, Cheers.

  2. Hi, i would like to comment on a problem that is related to Malwarebyte free & Trial Version. For the past 3 months my laptop os windows7 encounted a series of Blue Screen of Dead (BSOD). These events can happen during startup or when the computer is on idle (bsod kicks in when it about to go into sleep mode). After that when i restart the computer a black screen saying cannot find os. It seems that the drive letter c have been changed to g or the active volume disabled. You can fix these by using Diskpart in command prompt with a windows rescue disk the thing is this is only a temporary fix even run chkdsk /f /r and sfc /scannow. The BSOD always return when i download a youtube file i am using firefox downloader. So i jotted down the list of services in tasklist one set just after the temporary fix and another set after i download a youtube file and a DLLHOST.EXE file appeared suspicious since this is the only extra file after i did the downloading. I did a search of all DLLHOST.EXE in the system and found one in c:\program files(x86)\malwarebytes anti-malware\chameleon\windows. The size of this file is huge compared to the others in windows system so i just deleted the whole folder since i can always uninstall and install malwarebyte again. The conclusion is so far so good. I use Malwarebyte because it’s the best antimalware program i know maybe that is why it is used as a target practice for some.

    • @John: have you considered reinstalling Windows to fix your BSOD’s? If you have the installation / setup disc you can do a repair install, see if it fixes the problem. You’ll then have to install the [many] Windows Updates necessary to get you up to speed but that can be done automatically by Windows and is a minor nuisance if a repair reinstall will fix your BSOD’s and instability.

  3. Kayla – I am sorry, but, your article leaves more questions, than answers!

    You first state there is a free software security software (Malwarebytes), that has a huge security hole, found by Google’s research team.

    Then you report that Malwarebytes is encouraging users to implement the “self-protection” setting, which is only in the paid version.

    So, just where is the security issue – In the FREE version or the PAID version or both???!!!

  4. So what is the recommended course of action for those who are using the free version of Malwarebytes? Disable it for three to four weeks? How will we know when it is “safe” to use again? What product would you recommend to identify any exploits that have already happened as a result of this “gaping hole”?

    • Bill,
      First, I want to state this is only my opinion, and you may chose to proceed very differently or completely disagree with my stance on the matter.

      That being said, I would encourage anyone, to only use free AV programs as a back-up source of protection. Personally, I feel more comfortable using a product that I have had positive experiences with, and that uses a completely different method for protecting my computer. The program I use is PC Matic, which uses a whitelisting method, instead of the blacklisting like that of the competitors. Anyway, enough about that.

      To answer your question about identifying exploits, I would find an AV software program that you like, download and scan the computer. If you don’t want to do that, you can always do a system restore; however you won’t really know when the issues arose if you aren’t seeing a noticeable difference in PC performance.

      Again, these are merely suggestions, and tools that I would use if I were in your shoes. I hope it helps!

  5. Actually from what I have read and tested, free software like Avast and AVG are actually better than the paid products. I do not trust any company that makes deals with manufacturers to include free trials that are hard to remove.

  6. A workaround for a temporary fix is to download and install the trial premium version and enable in it the self protect.

  7. @Kayla, the title suggests that thee is a gaping hole in Malwarebytes but in reality there is a problem that MAY BE exploited. What software today is perfect? I would challenge none and the only thing is that the hole has not been discovered yet. PC Pitstop should be careful of these misleading, at best, sensational articles, at worse, because someone will start looking for the vulnerabilities in PC Pitstop”s products.

  8. as KAYLA suggests, shell out some shekels and get Norton, Kaspersky, Bitdefender, etc. Get a GOOD PAID product so you are better protected.

  9. I tried to change that setting and yes, it’s not available in the free version. So Malwarebytes is shortchanging the majority of its users.

        • @Jhawk:
          Those replies are really dumb considering the nature of the problem and IT IS security software — free or not!!!! Go ahead… GIVE malware, viruses and vulnerabilities to consumers under the guise of security = MALWARE. Malware Bytes is now potential MALWARE until the vulnerability is fixed!!! I can’t believe the audacity the people who have responded so unreasonably to the original post. Malware itself is not free… there IS a cost I am sure you do not want to pay (or do you?). No updates via https???? That’s crazy for security software — free or not. MB apparently KNOWS this and, as the article states is, and wisely, fixing it. Blatantly shortchanging customers by allowing a serious vulnerability to go unaddressed is no way to promote a security product (esp if a customer contracts a virus due to the weakness). It approaches being UNETHICAL.

      • @kayla: the beginning of the article is misleading because it refers to, “a huge security hole in a free security software program”. The premium version is not free.

        • I’m sorry that you feel the article is misleading. There are security holes, which Malwarebytes is currently addressing. You are correct, the free version does not have the advanced settings. The information regarding the setting change is for users who are paying for the premium version. It would be beneficial for those users to change their settings to be proactive. Unfortunately that option is not available for those who are using the free version. I appreciate your feedback, and will do my best to be clearer in future posts.

          • @kayla: Kayla, in your defense I did not find your article misleading or confusing. Obviously, if you don’t find the option to enable a “self-protection” feature in the software then you are not using the paid version. Who ever heard off paying for fewer features?

  10. Thanks for the information, which version of Malwarebytes is infected? I have both: Malwarebytes that scans computer and also Malwarebytes Anti-Exploit that runs in my search engines. Should I remove these or wait?

    • According to Maximum PC, the Malwarebytes Anti-Malware is infected. Many of the security gaps on the server side have been resolved. There still remains concerns with the client side. They plan to introduce a new version soon. Until then, I would be cautious. If this is the only anti-malware software you have, you most certainly would not want to uninstall or temporarily disable.

        • I honestly don’t believe Malwarebytes is a bad program. They have just experienced some recent security holes, which they are addressing as promptly as possible. They are also being proactive with their ‘bug bounty’ program. I think that says a lot about the company. That being said, free programs are always best as a back-up source. I would encourage an AV software such as PC Matic as the primary AV software, and using a program such as Malwarebytes as a back up.

            • As I said, I don’t believe free AV programs are sufficient to use as a sole source of PC security; however they can be a great back up source.

              I wouldn’t say I am ‘shilling’ for PC Matic. All I have is my personal experience, and I have been very pleased with the product and the protection it provides. Feel free to check it out–there’s a 30 day money back guarantee if you find yourself dissatisfied.

              Either way, I still support my original opinion. Free AV software is a great secondary option, but when it comes to PC security I would suggest a higher level of protection.

          • @kayla: I agree, as a sys admin I always use MalwareBytes to cover for a main AV program that has let something slip through and that happens too often , so I no longer recomend any specific program to anyone as there isnt anything perfect. You must just keep on top with updates and watch how they evolve with time. The bigger more famous programs tend to have too much overkill and slow down the system and very often trip up with time anyway. Use the KISS philosophy. (Keep It Simple Stupid)

            • @Mark:I guess I could “shill” for pc matic and super shield since I’ve used it for years on all five computers and have NO complaints at all!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.