Security Flaw Fixed in Malwarebytes Antivirus

Discussion in 'other anti-virus software' started by Minimalist, Dec 10, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,062
  2. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Who'd a thought...MBAM flawed? Is there a fix, released, yet?
     
  3. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,094
    =
    Malwarebytes fixes memory corruption issue

    A security vulnerability was discovered and patched in the Malwarebytes antivirus for Windows, as COSIG (Centre Opérationnel de Sécurité Informatique Gouvernemental) is reporting.
    ..
    ...
    ..
    "A vulnerability in Malwarebytes Anti-Malware 2.2.0 was reported to us by an independent researcher," a Malwarebytes spokesperson told Softpedia. "A fix was released two days after it was reported to us and we have seen no evidence it has ever been used in the wild. We work closely with external researchers, and are grateful for the opportunity to improve our products."
     
    Last edited: Dec 11, 2015
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,872
    Location:
    Australia
    Since when has MBAM been an antivirus? :isay:
     
  5. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    721
    Location:
    Toronto
    the version on their site is still 2.2.0.1024 dated 2015-10-15 which I'd downloaded 2015-10-17 so apparently the 'fix' around Dec. 3rd isn't released to the public yet or there's some super secret site with the 'fix' that I can't find.
     
  6. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    But fixes can also come through updates. I think.
     
  7. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    721
    Location:
    Toronto
    I'd done the update, it didn't change the version so I attempted to download the 'new fixed' version but it was still the same = 2.2.0.1024, i.e. no update...
     
  8. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,094
  9. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    721
    Location:
    Toronto
    Then neither of the posts by amarildojr or anon are helpful if they are referring to the database version.
    A 'patch' is a change to the program, the 'fix' was described as a 'patch'.

    1) I opened MBAM
    2) I ran "Update" database version with "Check for program updates when checking for database updates" ticked.
    there was no change in the version number
    3) I ran a Scan, the first step is "Check for Updates" just in case there's a 'difference' related to checking program updates.
    there was no change in the version number

    Has anyone had their version number changed to be higher than 2.2.0.1024?
     
    Last edited: Dec 11, 2015
  10. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    721
    Location:
    Toronto
    2015-11-28: Francis Provencher of COSIG found the issue;
    2015-11-30: Francis Provencher of COSIG report vulnerability to Malwarebytes;
    2015-12-02: Malwarebytes release a patch for this issue;
     
  11. j9ksf

    j9ksf Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    16
    Just checked - no changes.
     
  12. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    701
    Location:
    North of the 38th parallel.
    +1
     
  13. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    836
    Location:
    Québec, Canada
    Also wondering the nature of the patch.
    Database or program?
    The strangest thing is that there is nothing about this issue on their forum.
    At least I couldn't find a single thread about it.
     
  14. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    721
    Location:
    Toronto
    my point was - they didn't come through updates, at least not up to now.

    you may patch a database program but you don't patch a database.
    you may update a database which entails adding, changing or deleting data within the database, you may add/delete columns and change the characteristics of the contents, but that's not 'patching'
     
  15. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    Patches, be it 'program' or 'database' patches, can be pushed via updates and this happens with almost every vendor out there. Afterall, the update manager conects Home, in this case it's Malwarebytes' home, and receives instructions from Home, and these instructions (programs, vaccines, code in general) can contain patches to the program itself. Avast! does it this way, so does Avira, COMODO, Kaspersky, Bitdefender, and all products I've tested.

    My guess is that Malwarebytes didn't make a big fuss about it and everything was fixed silently, like when Linus pushes critical security fixes to the Kernel but lable them as "normal" because labling them "critical security bug fix" can raise suspicions from BlackHats and this could make it easier for them to attack non-patched systems.
     
  16. haakon

    haakon Registered Member

    Joined:
    May 25, 2015
    Posts:
    758
    Location:
    SW USA
    @ amarildojr
    If "everything was fixed silently" then how could there be non-patched systems "to attack"??
     
  17. haakon

    haakon Registered Member

    Joined:
    May 25, 2015
    Posts:
    758
    Location:
    SW USA
    Big surprise.

    And if one did post up something, it would take about 45 seconds for the first paste from a Forum Deity to run FRST and mbam-clean and re-install.
     
  18. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    Read my post again.
     
  19. haakon

    haakon Registered Member

    Joined:
    May 25, 2015
    Posts:
    758
    Location:
    SW USA
    OOPS. Did I quote you?

    OK. Let me read it again. Wait. Hmmmm. Wait... Got it!

    Everything fixed = non-patched.

    I guess if I knew more about Linus I would have understood the first time around. :D
     
  20. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    I'm not sure you got it.

    Even when publishers push a fix, some users won't apply them right away or won't apply at all. This is evident when you see that most people don't update Java, Windows, or whatever else. And since it appears Malwarebytes didn't do a fuss about this patch, I guess they already pushed it via regular updates. My guess also states that the reason behind could be the same as why important Linux securit patches aren't labled "important security hole fix". However, it doesn't make much sense in this particular case since the report details exactly how to exploit the vulnerability.
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,062
    Maybe they patched just a module or a component of program and didn't raise main program version number? It's harder to find out if you are using latest -"patched"- module but if it's included in regular update all users should get it at first update.
     
  22. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Thanks....:thumb:
     
  23. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,062
    I wonder if this bug is also affecting 1.75 version?
     
  24. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    Is 1.75 still suported? If so, I think they patched it too.
     
  25. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    721
    Location:
    Toronto
    The post on Softpedia states that MalwareBytes patched the 2.2.0 MBAM.
    It doesn't provide any date for this, and that's what started this confusion.


    So I followed the Dec. 3, 2015 Twitter link by researcher Francis Provencher which contained posts stating that:

    and

    So all this consternation was for naught. We're safer with 2.2.0.1024 :) .

    But the MBAM forum reveals that there are some other outstanding bugs to be fixed... but unlikely to be fixed within 2 days :( .
     
Loading...