Malwarebytes is struggling to fix flaws in its antivirus software that were highlighted by Google’s Project Zero security research team.
Google’s bug-seeking division found that updates for Malwarebytes' software were not signed or downloaded over a secure HTTP channel.
This left the updates vulnerable to hackers in between the client and Malwarebytes' servers, and could allow virus-ridden updates to be piped to customers.
Google informed Malwarebytes of the flaw in November, and gave the security firm 90 days to fix the update process before going public with the findings.
Malwarebytes was not able to do this, resulting in Project Zero researcher Tavis Ormandy posting details of the flaw to Google’s Security Research website.
“Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack,” he wrote, in a post in which some of the flaw's details were redacted.
“Therefore, this scheme is not sufficient to prevent tampering, and the developer should sign them.
“There are numerous simple ways to turn this into code execution, such as specifying a target file in the network configuration, writing a new TXTREPLACE rule to modify configuration files, or modifying a registry key with a REPLACE rule.”
Malwarebytes is well past the 90-day deadline, and chief executive Marcin Kleczynski admitted that it will take several more weeks to fix the problem.
“Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next three to four weeks to patch the additional client-side vulnerabilities. At this time, we are still triaging based on severity,” he said in a blog post.
“I’d also like to take this opportunity to apologise. While these things happen, they shouldn’t happen to our users.”
Kleczynski claimed that such flaws are the “harsh reality” of software development, and somewhat deflected attention from his company by noting how Malwarebytes researchers regularly discover flaws in other companies' software.
He noted the importance of vulnerability disclosure programmes to highlight such problems, and took the opportunity to launch the Malwarebytes Bug Bounty scheme which he hopes will “encourage other security researchers to responsibly disclose vulnerabilities in Malwarebytes software”.
Software patches and the update culture have been roundly criticised by security researchers as "fundamentally flawed".
Experts have also argued that the exposure of flaws in software by the likes of Project Zero does more harm than good.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago