|
|
I just read this regarding a vulnerability in MWB that may take up to 4 weeks to fix:
http://www.itpro.co.uk/security/25989/malwarebytes-c...
|
|
|
|
Seems a pretty basic error to make on their part not encrypting updates.
|
|
|
|
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
|
|
|
|
|
Thanks.
I see the article says "The company's CEO Marcin Kleczynski recommended customers use a workaround until the flaw has been completely eradicated, saying they should enable self-protection in the settings menu to "mitigate all of the reported vulnerabilities."
However in the free version you cannot do what he suggests as that option is greyed out. The only workaround would seem to be not to use the programme for the next month if you use the free version.
|
|
|
|
Mine is the free version, and as you say, it won't be used for a month unless some assurance of it being fixed is issued.
|
|
|
|
Have we any more news and has MWB made any sort of statement about this?
|
|
|
|
you could enable the trial of the paid version that lasts for a month, then revert to free after that.
|
|
|
|
I haven't seen anything yet - haven't been looking particularly though.
I just decided to leave it alone for a few weeks and then check around.
|
|
|
|
|
|
|
|
Any word of a fix yet? Been 5 week now
|
|
|
|
Had a quick look on their Release History and the answer is no, the last update was on the 12th October 2015.
|
|
|
|
Looks like the new 'fix' version (2.2.1) hasn't been released yet ...this is a comment from just a short while ago this morning:
You ever going to release this fix or should I start looking for another program that won't let me be exploited? "No software is perfect" but you said you were gonna fix it in 2-3 weeks not 2-3 months.
|
|
|
|
|
|
|
|
Good to see that at last!
Although it can be downloaded now, it Looks as though within the coming week there'll be an update and it won't be necessary to uninstall the old version first:
We�ll be enabling automatic upgrades for current users beginning next week. If you�d like to upgrade before then, simply download the new version from the link above and install
|
|
|
|
I didnt unistall the previous version. Downloaded the file and installed over the top of the previous version
|
|
|
Even better! Thanks 
|
|
|
this is comical.
so a software security vendor needs to rely on people to tell them to follow modern encryption security practices?
They not alone in this problem.
e.g. software like avast and eset which have https scanning modules, will disable technologies such as OCSP and key pinning. Some version also have no tls 1.1/1.2 support.
|
|
|
|
TLS v1.1 is also an issue as it is prone to TLS over POODLE vulnerability. The only version to be used should be version 1.2 and support for SSL2, SSL3 and TLS v1, and v1.1 should be disabled - else an attacker is able to launch an attack whereby they can force a users session to downgrade and use older TLS or even worse SSL versions, even if TLS v1.2 is enabled... Thereby, the attacker is able to break the encryption used. This of course is an issue for those using ancient browsers.
|
Pages in this thread: 
Print Thread
deleted
