Malwarebytes is struggling to fix flaws in its antivirus software that were highlighted by Google’s Project Zero security research team.
Google’s bug-seeking division found that updates for Malwarebytes' software were not signed or downloaded over a secure HTTP channel.
This left the updates vulnerable to hackers in between the client and Malwarebytes' servers, and could allow virus-ridden updates to be piped to customers.
Google informed Malwarebytes of the flaw in November, and gave the security firm 90 days to fix the update process before going public with the findings.
Malwarebytes was not able to do this, resulting in Project Zero researcher Tavis Ormandy posting details of the flaw to Google’s Security Research website.
“Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack,” he wrote, in a post in which some of the flaw's details were redacted.
“Therefore, this scheme is not sufficient to prevent tampering, and the developer should sign them.
“There are numerous simple ways to turn this into code execution, such as specifying a target file in the network configuration, writing a new TXTREPLACE rule to modify configuration files, or modifying a registry key with a REPLACE rule.”
Malwarebytes is well past the 90-day deadline, and chief executive Marcin Kleczynski admitted that it will take several more weeks to fix the problem.
“Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next three to four weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity,” he said in a blog post.
“I’d also like to take this opportunity to apologise. While these things happen, they shouldn’t happen to our users.”
Kleczynski claimed that such flaws are the “harsh reality” of software development, and somewhat deflected attention from his company by noting how Malwarebytes researchers regularly discover flaws in other companies' software.
He noted the importance of vulnerability disclosure programmes to highlight such problems, and took the opportunity to launch the Malwarebytes Bug Bounty scheme which he hopes will “encourage other security researchers to responsibly disclose vulnerabilities in Malwarebytes software”.
Software patches and the update culture have been roundly criticised by security researchers as "fundamentally flawed".
Experts have also argued that the exposure of flaws in software by the likes of Project Zero does more harm than good.
Latest Tesla news: Tesla stock price tanks amid reports of 'widening probe' by SEC and claims the base Model 3 loses money
SEC 'probe' takes its toll on Tesla as new research suggests that Tesla loses $6,000 on every $35,000 Model 3
10nm Cannon Lake Core i3-8121U CPUs make a rare outing with Intel's NUC mini PC
'Notorious' Australian child hacker thought he had executed 'flawless' hack
The former employee says that Tesla fired him for bringing the accusations to management internally