CVE-2016-10717 in Anti-Malware
Summary
by MITRE
A vulnerability in the encryption and permission implementation of Malwarebytes Anti-Malware consumer version 2.2.1 and prior (fixed in 3.0.4) allows an attacker to take control of the whitelisting feature (exclusions.dat under %SYSTEMDRIVE%\ProgramData) to permit execution of unauthorized applications including malware and malicious websites. Files blacklisted by Malwarebytes Malware Protect can be executed, and domains blacklisted by Malwarebytes Web Protect can be reached through HTTP.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/15/2020
The vulnerability identified as CVE-2016-10717 represents a critical security flaw in the access control mechanisms of Malwarebytes Anti-Malware consumer edition versions 2.2.1 and earlier. This weakness stems from improper implementation of encryption and permission controls within the software's core architecture, specifically affecting how the application manages its exclusion lists and whitelisting features. The vulnerability exists in the file exclusions.dat located within the %SYSTEMDRIVE%\ProgramData directory, which serves as the primary repository for the software's trusted application permissions and exclusion rules.
The technical implementation flaw manifests through insufficient access controls and weak cryptographic practices that allow local attackers to manipulate the exclusions.dat file directly. This file contains the configuration data that determines which applications are permitted to run without interference from the antivirus protection mechanisms. When an attacker gains write access to this critical file, they can effectively bypass the software's core protection features by adding malicious executables to the whitelist or removing legitimate blacklisted entries. The vulnerability specifically affects the whitelisting functionality, which should normally prevent unauthorized applications from executing while maintaining the integrity of the malware protection system.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it fundamentally undermines the security posture of systems protected by Malwarebytes Anti-Malware. Attackers can leverage this flaw to execute previously blocked malware, bypass web protection mechanisms, and access malicious websites that would normally be restricted by the software's web filtering capabilities. This creates a persistent backdoor that allows malware to maintain persistence on compromised systems while evading detection by the very protection software designed to prevent such activities. The vulnerability essentially transforms the antivirus solution from a protective barrier into a potential entry point for attackers.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-284, which addresses improper access control, and demonstrates characteristics consistent with ATT&CK technique T1059, where adversaries use legitimate system tools to execute malicious code. The flaw also represents a failure in the principle of least privilege, as the software does not properly enforce access controls on its own configuration files. Organizations affected by this vulnerability face significant risk of data breaches, system compromise, and lateral movement by attackers who can leverage the bypassed protections. The vulnerability's impact is particularly severe given that it affects consumer versions of the software, which are typically deployed in environments with limited security oversight and may be running with elevated privileges.
The remediation strategy for this vulnerability requires immediate patching to Malwarebytes Anti-Malware version 3.0.4 or later, which implements proper encryption and access control mechanisms for the exclusions.dat file. System administrators should also implement additional monitoring of the ProgramData directory for unauthorized modifications to the exclusions.dat file and establish baseline configurations to detect any unauthorized changes to the whitelisting entries. Organizations should conduct comprehensive security assessments to verify that no attackers have exploited this vulnerability and ensure that all systems running affected versions have been updated to prevent further exploitation attempts.