A security vulnerability uncovered in Malwarebytes' anti-virus software remains exposed months after first being disclosed, the firm has admitted. The issue, which could allow an attacker to inject malware-ridden code into a targeted computer, was first reported in November last year by a Google Project Zero researcher called Tavis Ormandy, who discovered the flaws in a consumer-grade anti-malware product.
Yet despite being able to resolve a selection of these vulnerabilities in a matter of days, a number of the security flaws remain exploitable with a resolution still three to four weeks away, according to Malwarebytes CEO Marcin Kleczynski.
"The research seems to indicate that an attacker could use some of the processes described to insert their own code on to a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time," he said in a blog post. "However, this is of sufficient enough a concern that we are seeking to implement a fix. Consumers using the premium version of Malwarebytes Anti-Malware should enable self-protection under settings to mitigate all of the reported vulnerabilities."
In his statement, Kleczynski also announced a new Malwarebytes bug-bounty programme that would allow computer-savvy users the ability to report security flaws in exchange for a financial reward. "A vulnerability disclosure program is one way to accelerate the discovery of these vulnerabilities and empower companies like Malwarebytes to fix them," he said.
"We are taking steps like the bug-bounty program as well as building automatic vulnerability finding software to mitigate any potential for a future vulnerability. In addition, our engineers have used this discovery to create new processes and methodologies that will help us to continue to scrutinise our own code, identify any weak lines or processes and to build additional tests and checkpoints into our ongoing development cycle."
He added: "Unfortunately, vulnerabilities are the harsh reality of software development. In fact, this year alone, our researchers have found and reported several vulnerabilities with other software. I'd also like to take this opportunity to apologise. While these things happen, they shouldn't happen to our users."
For many high-profile technology firms, bug bounties are becoming a popular way of finding severe vulnerabilities before they can be exploited by hackers or cyber-criminals. Most recently, Google announced a $1m (£670,000) disclosure programme for Drive, its cloud-based storage offering, saying it would pay up to $20,000 (£13,500) to researchers that find relevant security gaffes.