Unfortunately, vulnerabilities are the harsh reality of software development. Consumers using the Premium version of Malwarebytes Anti-Malware should enable self-protection under settings to mitigate all of the reported vulnerabilities. However, this is of sufficient enough a concern that we are seeking to implement a fix. Based on the findings, we believe that this could only be done by targeting one machine at a time. The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. At this time, we are still triaging based on severity. Within days, we were able to fix several of the vulnerabilities server-side and are now internally testing a new version (2.2.1) to release in the next 3-4 weeks to patch the additional client-side vulnerabilities.
In early November, a well-known and respected security researcher by the name of Tavis Ormandy alerted us to several security vulnerabilities in the consumer version of Malwarebytes Anti-Malware. Source: Malwarebytes Anti-Malware Vulnerability Disclosure
