When you get a new computer, the first thing you should do is install security software. Without some kind of protection, your computer will pick up viruses in no time and be vulnerable to hacking attacks.
Unfortunately, like any other software, security software isn't perfect. Sometimes it has flaws that hackers can use to bypass the protection it's supposed to provide. Security researchers at Google's Project Zero recently discovered such a flaw in a popular security program you've probably heard of.
The program in question is Malwarebytes, and it claims to be installed on 250 million computers worldwide. We've talked about it before on this site because the free version is a good backup virus scanner that can sometimes find threats other security software misses.
Unfortunately, Project Zero researcher Tavis Ormandy noticed that Malwarebytes has four flaws that mean it gets its virus definition updates over an unencrypted Internet connection. That means every time the program updates, it's potentially vulnerable to a hacker slipping their own code into the program.
A hacker could use these flaws to trick the program into ignoring certain viruses. On the average person's computer, this isn't too big of a threat. A hacker would have to target your computer, or you would have to download and install a virus written to take advantage of the flaw.
However, for a high-profile individual or company running Malwarebytes, a hacker could use these flaws as part of a larger hacking attack. They could make Malwarebytes ignore a specific data-stealing virus and then send that virus to company employees as an email attachment. There would be no chance of the security software stopping it from downloading or running.
Malwarebytes has apologized for the flaws and is working to fix them, although it says it will take three to four weeks. In the meantime, you can find a "self-protection" option in the settings. Turning that on will help make Malwarebytes a bit safer.
Malwarebytes has also announced it's starting a "bug bounty" program that will pay $1,000 to a researcher for finding a bug in its software. It's hoping that will help it find and fix these kinds of problems much sooner.