Malwarebytes not so safe

[Gary]

Malwarebytes is rushing to plug security flaws in its software that allow miscreants to sling malware at its customers.

The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. However, security holes remain in the client-side software that runs on people's Windows PCs.


    Malwarebytes updates are not signed or downloaded over a secure channel
    Malwarebytes uses incorrect ACLs allowing trivial privilege escalation
    TXTREPLACE rules are not context aware, allowing code inject
    ACTIONs can result in remote code execution


http://www.theregister.co.uk/2016/02/02/malwarebytes_0day/

[Clive]

That's bad news.  Malwarebytes is usually my first port of call if I think I've visited a dodgy website. 

[Technical Ben]

Should be a minor problem and fixed by the next update or so.

[Gary]

Should be a minor problem and fixed by the next update or so.

Should not have been there in the first place...

[Gary]

Looks like if you are running the free version of malwarebytes it could be a month before its fixed. You cant turn on the defences to mitigate this flaw unless you use the paid version. I guess encrypting updates would have helped.

"Free users will simply have to wait the three or four weeks until the patch becomes available. If you're extremely paranoid — and you might be justified, since skilled coders will be able to reverse-engineer Ormandy's findings — you can eschew malware signature updates altogether during that time, although doing so would somewhat defeat the purpose of having an anti-malware program. Bear in mind that the free version of Malwarebytes Anti-Malware is not antivirus software, and does nothing to protect your computer from attack" "(

http://www.tomsguide.com/us/malwarebytes-security-flaw,news-22206.html