back to article Google ninjas go public with security holes in Malwarebytes antivirus

Malwarebytes is rushing to plug security flaws in its software that allow miscreants to sling malware at its customers. The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. However, security holes remain in the client-side software …

  1. Aslan

    What is wrong with companies that they can't fix security problems in 90 days, and this is a security company we're talking about? If it's not a secure product it should be pulled from the market.

    1. Paul Crawford Silver badge

      Two reasons I can think of:

      1) The design is such a clusterfsck that there is no sane way to fix it short of a major re-write.

      2) They won't (or can't) allocate sufficient competent programmer time to fix it.

      In either case it is software I don't want to have dealings with.

      1. Brewster's Angle Grinder Silver badge

        They've fixed the problems and the fixes are undergoing testing. Testing can't be rushed, particularly given the radical changes it sounds like they've been forced to make. So, in reality, they probably only had 60 days to fix the client problems, and those 60 days included the Christmas holidays. And if you read the article, you will see they were using their resources to fix server side problems. Nor is throwing new programmers at a problem a viable solution because, as we all know, adding programmers to a late project makes it later.

        Some of the problems sound particularly dumb, especially for a company that specialises in security. But I do sympathise with them over the timescale.

        1. Anonymous Coward
          Linux

          Testing can't be rushed?

          "They've fixed the problems and the fixes are undergoing testing. Testing can't be rushed, particularly given the radical changes it sounds like they've been forced to make."

          Shouldn't this kind of thing be picked when they stress tested the security product before releasing to market. They did test it, didn't they?

          "MalwareBytes fetches their signature updates over HTTP, permitting a man in the middle attack."

          1. Anonymous Coward
            Anonymous Coward

            Re: Testing can't be rushed?

            There are enterprise web proxy solutions out there that rely on the same man-in-the-middle trick that Lenovo and others used, to "legitimately" check https traffic for malware. I no longer do personal banking on any company PC.

        2. Charlie Clark Silver badge
          Thumb Down

          Testing can't be rushed, particularly given the radical changes it sounds like they've been forced to make.

          Testing should be part of the development process. If it was it might have helped pick up these failures: no package hash, no secure distribution channel a lot earlier.

        3. Tom 13

          The other thing to remember is that while they are now a security company, that's NOT how they started. It started as one guy who was automating some fixes he routinely applied for friends and family.

          Yeah, they should have had time to clean it up into professional code. But given how much professional code is crap that needs cleaned up the same way....

      2. Anonymous Coward
        Anonymous Coward

        "In either case it is software I don't want to have dealings with."

        Would usually agree, but in this case I've used MWB countless times where it's picked up something other AV programs have missed. It hasn't successfully cleaned it 100% of those times, but at least it's been aware of it - which other AV's at the time didn't pick up.

        For all there's this error, on the most part, they do a good job of keeping their defs/scanning up to date. YMMV etc etc blah blah! :-)

        1. jason 7

          Hmm funny that. I do a lot of virus removal for customers and MWB is one of the tools I use. It's regularly the one tool that finds nothing. Even MSE finds more stuff than MWB. You can scan with MWB and it might find something and then if you scan the HDD with it again it might find another. Hang on....

          Not very useful. I have dropped it several times from my cleaning process but it comes back when fans tell me "oh its a lot better now!" It never appears to be.

          I think a case of marketing/fanboi love over effectiveness. YMMV however.

          1. SmartAceW0LF

            Do pray tell....

            What is "your" preferred security product? You do a lot of virus removal, please enlighten us. Or perhaps it's a trade secret?

        2. Sil

          I've been using MWB a few times, not for viruses, but for malwares that are a pain to uninstall, such as those changing your default search engine. For this at least I was always very satisfied with the software.

      3. Anonymous Coward
        Anonymous Coward

        too little too late

        MalwareBytes:

        You should have spent the resources to fix this within the 3 months.

        I was loyal fan and enthusiastic promoter.

        Now you're dead to me.

    2. Anonymous Coward
      Anonymous Coward

      Meh. I install, scan and uninstall. Rinse and repeat when needed. I use other products for real time scanning. (It's malware, not a virus scanner)

      What are the chances of something going wrong in that timeframe and not getting spotted and announced as a warning for me to wait until the next update?

      1. This post has been deleted by its author

    3. ecofeco Silver badge

      Short answer?

      Suits.

    4. Anonymous Coward
      Anonymous Coward

      I hope Google gets really fucked up by someone giving them 90 days to fix a hole that they don't manage to in time.....

      1. I ain't Spartacus Gold badge

        I hope Google gets really fucked up by someone giving them 90 days to fix a hole that they don't manage to in time.....

        It's just a matter of time. Particularly now that so many people are doing banking on their mobile phones. Google only barely even care about fixing the security nightmare that is Android. I admit the problem is as much the fault of the phone vendors, but when there's an Android wide publicly noticed virus outbreak (even if it only really happens to the non-Nexus stuff that's not getting properly updated) - who's going to get the blame? Will headline writers say, "Sony, Motorola/Lenovo, LG, Huwaei, HTC Failing to Fix Bugs Causes Huge Virus Outbreak in Android"? I doubt it. They'll say, "Huge Security Holes in Google Android".

        I'm amazed it hasn't happened already. The diversity of hardware, and old versions means it should never be as bad as what happened to XP in the early years of the lastt decade (Melissa, I Love You etc.). But Microsoft still haven't recovered from the damage those few years of security chaos did to their image. It's bound to come Google's way soon enough. Of course, there's a joke about predicting doom like this. Economists have predicted 11 of the last 2 recessions...

        1. Anonymous Coward
          Anonymous Coward

          "Economists have predicted 11 of the last 2 recessions..."

          There is a difference between a technical recession and a slump.

          What was bad about economists was that during the 2000s boom, academic economists were increasingly taken over or funded by the same banks and hedge funds that were creating the bubble, so they were telling us that the economy really did run on pink unicorns and fairy dust even as midnight approached.

          If governments had any sense (a big ask) they would surely be funding completely independent security researchers, none of whom owed anything to the really big malware flingers - the NSA and GCHQ - to provide completely impartial advice. And making sure it got publicised.

          Once upon a time there was genuine argument among economists who weren't being bought off with huge salaries, but then they started reporting things such as that trickle down didn't work and free markets weren't free, and that had to be stopped.

  2. Brewster's Angle Grinder Silver badge

    So running AV slows down your machine, increases the amount of memory it needs, and increases your vulnerability...

    Okay, that's a cheap shot. I know all software has bugs. I know that for the uneducated masses AV is a net gain. But...

  3. billium

    O.K. I'll defend them.

    Every time someone brings an virally infected Microsoft Windows PC, I use Malwarebytes to remove the infection and most of the time it is successful. I always remove Malwarebytes after and suggest to the owner they buy the Pro version if they are more likely to get malware due to their usage.

    It is part of the TCO of a Microsoft OS, as Lincolnshire CC have found.

    1. Anonymous Coward
      Anonymous Coward

      I used it today on a "troubled" laptop. It was more use than an Google search to identify the miscreant adware.

    2. jason 7

      I take it you guys are installing MWB on the actual infected machine?

      Not a good way to do it. You wont have got it all in most cases.

      Removes the HDD from the machine and scan it with another PC with at least three other AV products.

      I still use another two products once I have put the HDD back in the machine to finally clean up and check. Only way short of wiping the HDD and starting again.

      One product installed doesn't work.

      1. ukgnome

        sigh - the idea of an AV is to prevent an infection.

        There is a difference between an Anti-Virus and a Malware scan and removal tool.

        No one has suggested that the Malware scan and removal is at risk, and everyone agrees that this is quite good. As for viruses....well, if you have one then your AV is poor, popping out the drive into a clean machine and running through several different scans is one of the single dumbest things. The only safe way to deal with that infected machine is a clean install.

        Why would you risk another machine by mounting the infected drive in it? Think about it, now think really really hard.

        1. jason 7

          You haven't done any regular AV removal clean ups have you? Never thought you might use a machine specifically set aside for scanning the infected HDD in a docker? Malware and virus use stealth techniques that AV and malware scans cant find if the software is active...on a running machine. You have to run the infected drive as though its a dumb data drive.

          In my line of work you just lump the whole lot together AV/malwear scan...all the same thing. Saves time and the customer doesn't care. Just wants their machine back working. Which it wont be if you don't scan it using another machine. I guess you might be a bit worried now about those machines you thought were clean?

          One AV/Malware tool does not clean them all off. Especially if you are using MWB! You have to use several. Finish off with some Combofix for good measure.

          1. Tom 13

            Re: You haven't done any regular AV removal clean ups have you?

            Actually I have. Scanning in a set aside PC was deprecated as unworkable about 8 years ago.

            These days the exploit kits are too available and too complex. Even using five different products to scan in such a detached system doesn't ensure there isn't anything left in the machine that will reinfect it. In the time you run those 3 or 5 or 7 scans, you can image a new system. Moving data is at your own risk.

        2. herman

          ...and why would an infected data drive infect another machine? You need to execute a program on it for anything to happen. Scanning it will not execute anything.

          1. jason 7

            Indeed herman. Wiping the HDD and starting again is the best (and sometimes quickest) way to deal with such things.

            However...real world...customers...critical machine...no backups...licenses lost...complexity of existing build...how much willing to pay...etc.etc.

            Please note I do not run a IT team in a corporation etc. I deal with customers that walk in off the street.

            So no clone builds or structured processes. Oh I wish...

          2. Anonymous Coward
            Anonymous Coward

            Scanning it will not execute anything.

            I would like to believe this, but to do that I would need to have 100% confidence that the scanning program did not open the file in a sandbox to see what happened, and that there wasn't a malware in the file that broke out of the sandbox.

            I have always scanned suspect Windows drives from Linux as a first step, but what is perhaps needed is an antivirus toolbox for Windows drives running in a very hardened and minimal surface Linux or Unix.

            1. jason 7

              Re: Scanning it will not execute anything.

              By all means if you have the time, staff and the money.

              1. ukgnome

                @jason 7 : Scanning it will not execute anything.

                When I had my small business I used to do all that and frankly what a massive waste of time. I am sure you have a lot of success. I am also sure you have a lot of repeat customers. The fact that you are unaware of how viruses propagate is worrying. MBR viruses have been around for a while and I am doubtful that you are paying heed to them correctly. MBR and VBR can and do still propagate through sloppy techniques such as the one you describe, I hope your BIOS is up to date. You allude to using a sandboxed machine for your wiping activities - I am keen to know how you get your virus definitions updated. You must spend so much time rebuilding that particular device. The only way to be sure is a rebuild and education thereafter. Even though corporations have enterprise anti-virus and a workforce of drones you wouldn't expect them to be happy with an anti-virus removal. Peoples data is worth so much, be it corporations or private individual, and you would be well to remember that. A better solution for you would be to back up the customer data onto your sandbox machine (then scanned) and then a rebuild of the customers device. Not only could you charge a little extra, but your customers would appreciate this extra level of precaution.

                1. jason 7

                  Re: @jason 7 : Scanning it will not execute anything.

                  Like I said, In the real world with real world small business and domestic customers, it doesn't work like that.

                  Sometimes the best solution just isn't workable.

                  1. Tom 13

                    Re: @jason 7 : Scanning it will not execute anything.

                    If you're sending your customers away thinking they have clean machines, you're lying to them.

                    There's simply no way to know you've cleaned an infected machine these days.

                    Tell them the truth, then help them navigate to a solution.

                    1. jason 7

                      Re: @jason 7 : Scanning it will not execute anything.

                      Fine, the alternative is always PC World. Then they lose their PC, software and the data.

                      Or some guy that just slaps Malwarebytes on a the machine and says job done!

                      Remember these are people who won't pay even £200 to get all their business data back if their HDD fails. Let alone pay to have a machine with all the "irreplaceable software" and settings wiped and rebuilt for whatever it costs. This is what you are up against.

                      People are cheap bastards. You only get so much for £50.00.

                    2. Roland6 Silver badge

                      Re: @jason 7 : Scanning it will not execute anything.

                      If you're sending your customers away thinking they have clean machines, you're lying to them.

                      There's simply no way to know you've cleaned an infected machine these days.

                      Tell them the truth, then help them navigate to a solution.

                      Well the best you can do is to ensure they have a fully functioning security suite installed with 30 days free trial left to run, and tell them to come back if it reports anything, if they don't come back...

                      It's a bit like going to the Dr, they prescribe a course of treatment, you only go back if the treatment doesn't work.

                2. Roland6 Silver badge

                  Re: @jason 7 : Scanning it will not execute anything.

                  "A better solution for you would be to back up the customer data onto your sandbox machine (then scanned) and then a rebuild of the customers device. Not only could you charge a little extra, but your customers would appreciate this extra level of precaution."

                  The trouble is that gets you into issues around Windows reinstall. Can you trust the recovery images on the hidden partition (assuming they are still there)? What else has the user installed etc. etc. This path rapidly gets you into the "it's cheaper to buy a new machine" dialogue, which doesn't actually help the client very much...

                  Personally, my recent experiences have lead me to be much more cautious about attempting recovery...

                  The last few have had normal AV software eg. Norton, installed, whilst multiple scans over a couple of weeks did not discover any infection, it would seem that the malware exploit/installer in trying to circumvent the AV did much damage to Windows, resulting in the strange behavior that resulted in the client contacting me. The worrying aspect, for me, was that the 'fix' was to effect some rather major systemwide changes to Windows permissions. Whilst these certainly got a system up and working again, the system was now wide open (ie. key system files and processes were alterable by a limited user...). As a professional, I can't really hand back a system in this state and say I've fixed the problem.

                  1. jason 7

                    Re: @jason 7 : Scanning it will not execute anything.

                    "As a professional, I can't really hand back a system in this state and say I've fixed the problem."

                    I wouldn't like to either but then you have the issue of having spent X hours and then having to tell the customer that spending x further hours rebuilding the machine from scratch (obviously some of you would also recommend a new HDD and replacing the BIOS chip too), losing the precious settings and copy of AutoCad/Office/Other software that you can't imagine they would normally have (that he cant quite find the license key for right now)...all for a £200 laptop or £80 worth or 2009 vintage desktop.

                    Which he said no to when he dropped in it that morning.

                    Ten years ago it was worth throwing some cash at fixing tech. But when you can buy a new Windows laptop for £200 it can be a hard job convincing them.

                    I understand where you guys are coming from but most people just don't want to know or pay for it.

      2. Paul Crawford Silver badge

        Re: Removes the HDD from the machine and scan it with another PC

        Or use one of the "rescue CD" images from Bitdefender or Kaspersky to boot the troubled machine and check for the biggest problems first.

      3. Roland6 Silver badge

        My first step is run Hirens Boot CD and run Mini XP on the infected machine (yes I use a CD not a USB stick), using this to run AV tools - this gives me some idea of what malware (if any) is actually installed/partially installed etc., it also has a nice side effect of confirming that the basic platform hardware is still working and can be the quickest way to return a system to operation.

        1. jason 7

          Yeah the Linux boot Live CDs are pretty good. Variable results with the half dozen I've tried plus they are really sloooooow. All part of the toolkit.

  4. x 7

    I just wish the twats at Google would do something about their own security problems aka tracking software

    1. Sil

      Google is so hypocritical, not even fixing security bugs in older versions of Android and whatnot.

  5. sysconfig
    Devil

    Suspicious

    The strange name Malwarebytes suddenly makes a lot of sense.

    1. SmartAceW0LF

      Re: Suspicious

      Strange name? Those of us in the trenches have been intimately familiar with it for almost a decade now! I don't give a tinkers dam what all these techs with their high and mighty smug talk say about virus/malware removal, ever since MBAM came out it was a game changer! Anyone who has been around doing this work somewhere other than the frigging Geek Squad knows this.

  6. Roland6 Silver badge

    Open session on AV products?

    Given the other recent revelation - see http://www.theregister.co.uk/2015/12/10/kaspersky_mcafee_avg_vulnerable/

    I wonder what other gems we are going to find, suspect Malwarebytes isn't the only one with a poor security model. Perhaps we need some independent lab to conduct a serious set of PEN tests against all the major product offerings...

    Whilst in some respects I'm pleased to see my preferred security products not being mentioned, I'm also wary not to claim that they are 'secure', hence I'm keeping quiet about what I'm currently using....

  7. x 7

    I've just been on the Malwarebytes site - its been totally rejigged with all the free stuff missing. Just the "premium" package available for download. Even stuff like the anti-exploit kit is missing.

    The new website doesn't inspire confidence - looks too much like a cheap scam site

  8. Anonymous Coward
    Anonymous Coward

    3-4 weeks looks a little optimistic. 36 days and still no sign of 2.2.1

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like