News and Happenings
BitTorrent Client uTorrent Suffers Security Vulnerability (Updated)
Submitted by RealMcFly01, 21-02-2018, 10:16 AM, Thread ID: 76398
Thread Closed
21-02-2018, 10:16 AM
#1 This post was last modified: 21-02-2018, 10:17 AM by RealMcFly01
Quote:BitTorrent client uTorrent is suffering from an as yet undisclosed vulnerability. The security flaw was discovered by Google security researcher Tavis Ormandy, who previously said he would reveal a series of "remote code execution flaws" in torrent clients. BitTorrent Inc. has rolled out a 'patch' in the latest Beta release and hopes to fix the stable uTorrent client later this week.
With dozens of millions of active users a day, uTorrent has long been the most used torrent client.
The software has been around for well over a decade and its still used to shift petabytes of data day after day. While there havent been many feature updates recently, parent company BitTorrent Inc. was alerted to a serious security vulnerability recently.
The security flaw in question was reported by Google vulnerability researcher Tavis Ormandy, who first reached out to BitTorrent in November last year. Googles Project Zero allows developers a 90-day window to address security flaws but with this deadline creeping up, BitTorrent had remained quiet.
Late last month Ormandy again reached out to BitTorrent Incs Bram Cohen, fearing that the company might not fix the vulnerability in time.
?I dont think bittorrent are going to make a 90 day disclosure deadline, do you have any direct contacts who could help? Im not convinced they understand the severity or urgency, Ormandy wrote on Twitter.
NudgeWhile Googles security researcher might have expected a more swift response, the issue wasnt ignored.
BitTorrent Inc has yet to fix the problem in the stable release, but a patch was deployed in the Beta version last week. BitTorrents Vice President of Engineering David Rees informed us that this will be promoted to the regular release this week, if all goes well.
While no specific details about the vulnerability have yet to be released (update below), it is likely to be a remote execution flaw. Ormandy previously exposed a similar vulnerability in Transmission, which he said was the ?first of a few remote code execution flaws in various popular torrent clients.
BitTorrent Inc. told us that they have shared their patch with Ormandy, who according to the company confirmed that this fixes the security issues (update below).
uTorrent Beta release notes?We have also sent the build to Tavis and he has confirmed that it addresses all the security issues he reported, Rees told us. ?Since we have not promoted this build to stable, I will reserve reporting on the details of the security issue and its fix for now.
BitTorrent Inc. plans to release more details about the issue when all clients are patched. Then it will also recommend users to upgrade their clients, so they are no longer at risk, and further information will also be available on Googles Project Zero site.
Of course, people who are concerned about the issue can already upgrade to the latest uTorrent Beta release right away. Or, assuming that its related to the clients remote control functionality, disable that for now.
Update: More details about the vulnerability (and a demo) have been published by Ormandy after we finished this article. It is indeed a DNS rebinding issue that potentially allows outsiders to remotely execute code through uTorrents remote control feature.
Also, uTorrents patch appears not to be as solid as BitTorrent Inc. believes, according to Googles security researcher.
?Hmm, it looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit, he writes.
Still vulnerable?and
Fixed?Update 2: BitTorrent inc just released the following statement:
?On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build 3.5.3.44352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the users consent (e.g. adding a torrent).
A fix for uTorrent Web was released a few hours ago according to BitTorrent Inc and users are recommended to update this to the latest available build as well.
To be continued.
Note: uTorrents Beta changelog states that the fixes were applied on January 15, but we believe that this should read February 15 instead.
Edit: Source - https://torrentfreak.com/bittorrent-clie...ty-180220/
Users browsing this thread: 2 Guest(s)