This site may earn affiliate commissions from the links on this page. Terms of utilize.

utorrent

The popular torrent client known every bit uTorrent used to be a very minimal and lightweight program, just BitTorrent Inc. has loaded it downward with more and more than features over the years. According to Googler Travis Ormandy, one of uTorrent'due south features has left users wide open to a serious attack. Ormandy alerted the company to the flaw and expressed business concern it would be patched in time for the 90-solar day disclosure deadline. A patch is rolling out now, but it's unclear how effective the prepare will be.

Ormandy is part of Google's Project Naught, a team dedicated to finding bugs in software before the bad guys practise. As part of his work on torrent clients, Ormandy reached out to BitTorrent Inc last November with details on a serious remote code execution vulnerability in its uTorrent software. A remote code execution vulnerability is bad news every bit it tin let an attacker to take over your system completely. Despite beingness a large deal, BitTorrent waited until the last infinitesimal to issue a patch.

Based on the demo provided by Ormandy, uTorrent appears to accept a number of DNS rebinding exploits in Windows. It's related to the programme's remote command feature, which allows the system'due south owner to manage torrents from a web browser in some other location. However, the authentication token for this characteristic is ridiculously easy to compromise. With that, the attacker can install annihilation on a reckoner.

BitTorrent Inc has rolled out a patch to the beta version of the client and says the stable version will exist patched within a week. The fix involves adding a 2nd token to the spider web interface. Ormandy notes this does break his exploits, simply he believes this token, likewise, is vulnerable. If that's the example, it may exist a uncomplicated matter for someone else to update the exploit. He describes uTorrent as having "a lot of unnecessary remote attack surface."

The company'southward applied science VP Dave Rees says that the patch fixes the outcome, and everyone should update. That'southward sound advice, simply it sounds like Ormandy was non convinced of the patch's effectiveness. If you're going to continue using uTorrent, it might be smart to disable the remote access features entirely until we know for sure the DNS rebinding exploits have been fixed.

Ormandy has promised to release a serial of vulnerabilities in Torrent clients. He already exposed a similar flaw in the popular Manual torrent client.