Bug Bounty Scheme Begun at Malwarebytes Following Report of Security Flaws

Malwarebytes, renowned for its security product MBAM (Malwarebytes Anti-Malware), protects Mac OS X and Windows computers by detecting, eliminating and safeguarding end-users within real time from malicious programs and other e-threats. The security company is hastening towards patching vulnerabilities within its software, which if exploited can let cyber-criminals thrust malware onto the company's clients.

The anti-virus vendor states that it recently patched server-side security flaws which Tavis Ormandy, researcher for Google's Project Zero reported during November last. Nevertheless, there are still vulnerabilities within its client-side software, which users of Windows computers have deployed on their systems.

Patching of the client-side vulnerabilities is likely to require 3 weeks at the most by when the fixes would also get released. Meanwhile however, Ormandy has publicly reported all the particulars about the flaws. According to Project Zero, vendors require patching their flawed applications within 90 days prior to them going wholly public. Theregister posted this dated February 2, 2016.

Originally researcher Tavis Ormandy had found MBAM pulling down from the Net signature updates through the medium of HTTP, while it didn't also authorize digitally those updates, thus fundamentally letting Man-in-the-Middle (MitM) assaults to occur.

He further indicated that cyber-criminals might run code onto victims' devices via exploitation of vulnerabilities within ACTION and TXTREPLACE utilities, while even leverage one problem of escalating local privilege discovered within Access Control List (ACL) of the engine, thereby acquiring for themselves, system-level consent.

Hearing from Ormandy, Malwarebytes quickly released one urgent patch and presently it is getting ready for launching MBAM 2.2.1 that would plug the security holes completely.

For this, Marcin Kleczynski, CEO of Malwarebytes declared the company had created one authorized bug bounty scheme that would maintain its product free of bugs, however, would as well reward external investigators who research to find security bugs.

The awards would be in the range of $100-$1,000 (EUR91-EUR910) based on how serious a bug was; however, for lower-scaled vulnerabilities, they too would get Malwarebytes' "swag."

Meanwhile, end-users continuing with MBAM's previous or current editions should enable the software's self-protection option for preventing any possible exploitation of Ormandy's security flaws.

» SPAMfighter News - 2/8/2016