Considering the business that Malwarebytes is in you can expect to see a lot of negative press about a gaping security hole in the near future and while there is a vulnerability it is not as bad as many will make it out to be.  The issue lies in that signature updates are done over HTTP and are unsigned, very bad practice but something which would be exploited on a single client connection as opposed to something you could use to create a wide spread infection.  The Register links to the Google Project Zero entry which was released today as the vulnerability was first reported to Malwarebytes 90 days ago and has not been addressed on the client side.

The actual concern you should have is that the original bug report also found vulnerabilities on the server side.  Malwarebytes did correct the server side issues almost immediately but neglected to follow through on the client side.  It is good of them to patch and offer bug bounties but a complete follow through is necessary if you are a security software peddler who wants their reputation to stay intact.

"The antivirus firm says it has addressed server-side vulnerabilities that were reported by Google Project Zero researcher Tavis Ormandy in November. However, security holes remain in the client-side software that runs on people's Windows PCs."

Here is some more Tech News from around the web:

Tech Talk