Malwarebytes is rushing to plug security flaws in its software that allow miscreants to sling malware at its customers.
The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. However, security holes remain in the client-side software that runs on people's Windows PCs.
These latter vulnerabilities may take up to three weeks to fix and release, although Ormandy has already gone public with details of the holes. Project Zero gives vendors 90 days to fix their broken software before they go fully public. Time's up for Malwarebytes, so now miscreants can start to exploit the reported vulnerabilities:
- Malwarebytes updates are not signed or downloaded over a secure channel
- Malwarebytes uses incorrect ACLs allowing trivial privilege escalation
- TXTREPLACE rules are not context aware, allowing code inject
- ACTIONs can result in remote code execution