Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Malwarebytes Anti-Exploit Upgrade Mechanism Vulnerable to MitM Attacks

The upgrade mechanism in older versions of Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit is plagued by a vulnerability that can be exploited to load malicious code on affected systems.

The upgrade mechanism in older versions of Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit is plagued by a vulnerability that can be exploited to load malicious code on affected systems.

The bug (CVE-2014-4936) was identified by Yonathan Klijnsma, a researcher with Netherlands-based security firm Fox-IT. The vulnerability affects the consumer versions of Malwarebytes Anti-Malware 2.0.2 and earlier, and Malwarebytes Anti-Exploit 1.03 and earlier. Business versions are not impacted.

According to Klijnsma, affected versions of Malwarebytes Anti-Exploit and Malwarebytes Anti-Malware are upgraded over a HTTP connection and they don’t use a proper package validation system to ensure that updates are legitimate. Because the application doesn’t verify the installer, an attacker can serve any Windows PE file and it will get executed with full administrative privileges on the victim’s system.

Both solutions are affected by the flaw because they rely on the same process. The only difference is in the requests for checking the version and getting the update.

The security software is designed to get updates from the Malwarebytes CDN (data-cdn.mbamupdates.com). In order to inject his payload, the attacker needs to intercept the DNS requests for the CDN. This can be accomplished by using various methods, including changing DNS adapter settings, changing the Windows host file to override DNS, and by performing a DHCP spoofing attack.

In his experiments, in which the attacker’s machine was running Kali Linux and the victim’s machine was running Windows XP, Klijnsma used a DHCP spoofing attack to reroute requests from the Malwarebytes product to the “malicious” server.

By launching a man-in-the-middle (MitM) attack, the expert was able to get the security software to download and execute an arbitrary file, and take over the targeted device.

The expert reported the Malwarebytes Anti-Malware vulnerability in mid-July and it was addressed on October 3 with the release of version 2.0.3. In the case of Malwarebytes Anti-Exploit, the flaw was reported on August 21, and it was patched in early September with the release of version 1.04.1.1012.

Advertisement. Scroll to continue reading.

The security firm has added Klijnsma’s name to its hall of fame, the page where it acknowledges the work of independent researchers who help find and fix flaws in Malwarebytes products.

Pedro Bustamante, Director of Special Projects at Malwarebytes, says the company hasn’t seen any evidence that the vulnerability reported by the researcher has been exploited in the wild.

“We work closely with external researchers, and are grateful for the opportunity to improve our products,” Bustamante told SecurityWeek.

Klijnsma has been involved in the analysis of CryptoPHP, a campaign in which attackers use a backdoor to hijack websites powered by Joomla, WordPress and Drupal, and abuse them for black hat SEO.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.