This site may earn chapter commissions from the links on this page. Terms of use.

utorrent

The popular torrent customer known as uTorrent used to exist a very minimal and lightweight plan, merely BitTorrent Inc. has loaded it down with more and more features over the years. Co-ordinate to Googler Travis Ormandy, one of uTorrent'southward features has left users broad open to a serious assail. Ormandy alerted the company to the flaw and expressed business organisation information technology would be patched in time for the 90-day disclosure deadline. A patch is rolling out now, but it's unclear how constructive the fix will be.

Ormandy is part of Google's Projection Nix, a squad dedicated to finding bugs in software before the bad guys do. As role of his work on torrent clients, Ormandy reached out to BitTorrent Inc last November with details on a serious remote code execution vulnerability in its uTorrent software. A remote code execution vulnerability is bad news every bit information technology tin can allow an attacker to accept over your arrangement completely. Despite being a large deal, BitTorrent waited until the last minute to issue a patch.

Based on the demo provided by Ormandy, uTorrent appears to have a number of DNS rebinding exploits in Windows. It'south related to the program's remote control feature, which allows the arrangement's owner to manage torrents from a web browser in another location. Nonetheless, the authentication token for this feature is ridiculously like shooting fish in a barrel to compromise. With that, the aggressor tin can install annihilation on a reckoner.

BitTorrent Inc has rolled out a patch to the beta version of the client and says the stable version volition exist patched within a week. The ready involves adding a second token to the web interface. Ormandy notes this does intermission his exploits, but he believes this token, too, is vulnerable. If that'south the case, it may be a unproblematic matter for someone else to update the exploit. He describes uTorrent every bit having "a lot of unnecessary remote attack surface."

The company'southward engineering VP Dave Rees says that the patch fixes the issue, and everyone should update. That's audio advice, simply it sounds like Ormandy was not convinced of the patch'due south effectiveness. If you're going to go along using uTorrent, it might be smart to disable the remote access features entirely until we know for sure the DNS rebinding exploits accept been fixed.

Ormandy has promised to release a series of vulnerabilities in Torrent clients. He already exposed a similar flaw in the popular Transmission torrent customer.