Posted: February 1, 2016 by

Last updated:

In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware. Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities.

In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware.

Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity.

The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time.

However, this is of sufficient enough a concern that we are seeking to implement a fix. Consumers using the Premium version of Malwarebytes Anti-Malware should enable self-protection under settings to mitigate all of the reported vulnerabilities.

Unfortunately, vulnerabilities are the harsh reality of software development. In fact, this year alone, our researchers have found and reported several vulnerabilities with other software. A vulnerability disclosure program is one way to accelerate the discovery of these vulnerabilities and empower companies like Malwarebytes to fix them.

I’d like to take this opportunity to launch the Malwarebytes Bug Bounty program which I hope will encourage other security researchers to responsibly disclose vulnerabilities within Malwarebytes software.

I’d also like to take this opportunity to apologize. While these things happen, they shouldn’t happen to our users.

We are taking steps like the Bug Bounty program as well as building automatic vulnerability finding software to mitigate any potential for a future vulnerability. In addition, our engineers have used this discovery to create new processes and methodologies that will help us to continue to scrutinize our own code, identify any weak lines or processes and to build additional tests and checkpoints into our ongoing development cycle.

If you would like to report anything, please e-mail bug-bounty@malwarebytes.com and we’ll get back to you.

Marcin