1. Hey Guest Did you know you can win an Honor 10 phone worth ₹33,000 and an additional ₹70,000 in paytm vouchers, just by replying to some threads and taking part in the discussions happening in the Honor Hub?

    What are you waiting for? Start commenting and start winning! Remember to read the instructions posted here.

    Dismiss Notice

BitTorrent Client uTorrent Suffers Security Vulnerability

Discussion in 'Technology News' started by Cyberghost, Feb 28, 2018.

  1. Cyberghost

    Cyberghost Federal Agent Area 51

    Joined:
    Sep 1, 2012
    Messages:
    1,567
    Likes Received:
    56
    Trophy Points:
    48
    Location:
    കേരളം (Kerala), ഇന്ത്യ(India)
    BitTorrent client uTorrent is suffering from an as yet undisclosed vulnerability. The security flaw was discovered by Google security researcher Tavis Ormandy, who previously said he would reveal a series of "remote code execution flaws" in torrent clients. BitTorrent Inc. has rolled out a 'patch' in the latest Beta release and hopes to fix the stable uTorrent client later this week.

    With dozens of millions of active users a day, uTorrent has long been the most used torrent client.

    The software has been around for well over a decade and it’s still used to shift petabytes of data day after day. While there haven’t been many feature updates recently, parent company BitTorrent Inc. was alerted to a serious security vulnerability recently.

    The security flaw in question was reported by Google vulnerability researcher Tavis Ormandy, who first reached out to BitTorrent in November last year. Google’s Project Zero allows developers a 90-day window to address security flaws but with this deadline creeping up, BitTorrent had remained quiet.

    Late last month Ormandy again reached out to BitTorrent Inc’s Bram Cohen, fearing that the company might not fix the vulnerability in time.

    “I don’t think bittorrent are going to make a 90 day disclosure deadline, do you have any direct contacts who could help? I’m not convinced they understand the severity or urgency,” Ormandy wrote on Twitter.

    [​IMG]
    While Google’s security researcher might have expected a more swift response, the issue wasn’t ignored.

    BitTorrent Inc has yet to fix the problem in the stable release, but a patch was deployed in the Beta version last week. BitTorrent’s Vice President of Engineering David Rees informed us that this will be promoted to the regular release this week, if all goes well.

    While no specific details about the vulnerability have yet to be released (update below), it is likely to be a remote execution flaw. Ormandy previously exposed a similar vulnerability in Transmission, which he said was the “first of a few remote code execution flaws in various popular torrent clients.”

    BitTorrent Inc. told us that they have shared their patch with Ormandy, who according to the company confirmed that this fixes the security issues (update below).

    uTorrent Beta release notes


    “We have also sent the build to Tavis and he has confirmed that it addresses all the security issues he reported,” Rees told us. “Since we have not promoted this build to stable, I will reserve reporting on the details of the security issue and its fix for now.”

    BitTorrent Inc. plans to release more details about the issue when all clients are patched. Then it will also recommend users to upgrade their clients, so they are no longer at risk, and further information will also be available on Google’s Project Zero site.

    Of course, people who are concerned about the issue can already upgrade to the latest uTorrent Beta release right away. Or, assuming that it’s related to the client’s remote control functionality, disable that for now.

    Update: The vulnerability affects ‘recent’ unpatched uTorrent versions, not just those that have the Web UI enabled. (to clarify, older versions may not have the exploitable RPC server)

    Update: More details about the vulnerability (and a demo) have been published by Ormandy after we finished this article. It is indeed a DNS rebinding issue that potentially allows outsiders to remotely execute code through uTorrent’s remote control feature.

    Also, uTorrent’s patch appears not to be as solid as BitTorrent Inc. believes, according to Google’s security researcher.

    “Hmm, it looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit,” he writes.

    Still vulnerable?

    [​IMG]
    and…
    Fixed?

    [​IMG]
    Update 2: BitTorrent inc just released the following statement:

    “On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build 3.5.3.44352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user’s consent (e.g. adding a torrent).

    A fix for uTorrent Web was released a few hours ago according to BitTorrent Inc and users are recommended to update this to the latest available build as well.

    To be continued.



    Note: uTorrent’s Beta changelog states that the fixes were applied on January 15, but we believe that this should read February 15 instead.

    Update: On February 22 BitTorrent Inc reports that patched versions are available now. More details and info are available here.

    Source: Torrentfreak
     
  2. whitestar_999

    whitestar_999 Super Moderator Staff Member

    Joined:
    Nov 7, 2011
    Messages:
    7,578
    Likes Received:
    639
    Trophy Points:
    113
    Location:
    NCR
    Yes,many private trackers dropped uTorrent 3.x versions & some even removed earlier versions though from whatever I read v2.2.1 & earlier are not exploitable(reddit posts suggests most these exploit can do to 2.x/earlier versions is cause popup messages which can be closed as usual) in the same way as 3.x versions so these earlier versions are still being allowed at many pvt trackers.
     
  3. billubakra

    billubakra Well-Known Member

    Joined:
    Dec 18, 2012
    Messages:
    2,719
    Likes Received:
    193
    Trophy Points:
    63
    I am still using utorrent v2.2 Itni tension nai lete dosto. An elite hacker in the world targetting me lol sounds funny.
     
  4. whitestar_999

    whitestar_999 Super Moderator Staff Member

    Joined:
    Nov 7, 2011
    Messages:
    7,578
    Likes Received:
    639
    Trophy Points:
    113
    Location:
    NCR
    Elite hackers won't use such simple exploits,they will use custom spectre exploits.
     
    billubakra likes this.
  5. billubakra

    billubakra Well-Known Member

    Joined:
    Dec 18, 2012
    Messages:
    2,719
    Likes Received:
    193
    Trophy Points:
    63
    But again they won't target "us".
     
  6. Nerevarine

    Nerevarine Well-Known Member

    Joined:
    Feb 6, 2011
    Messages:
    6,028
    Likes Received:
    184
    Trophy Points:
    63
    Location:
    Pune
    That is literally the attitude because of which our govt doesnt take security seriously.
     
  7. billubakra

    billubakra Well-Known Member

    Joined:
    Dec 18, 2012
    Messages:
    2,719
    Likes Received:
    193
    Trophy Points:
    63
    Government vs aam aadmi which has only songs and movies in his HDD, can't compare me with them. Happy Holi.
     

Share This Page