SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
23 Feb 2018

uTorrent bugs let websites control your computer and steal your downloads

Two versions of uTorrent, one of the Internet's most widely used BitTorrent apps, have easy-to-exploit vulnerabilities that allow attackers to execute code, access downloaded files, and snoop on download histories, a Google Project Zero researcher said.

uTorrent developers are in the process of rolling out fixes for both the uTorrent desktop app for Windows and the newer uTorrent Web product.

The vulnerabilities, according to Project Zero, make it possible for any website a user visits to control key functions in both the uTorrent desktop app for Windows and in uTorrent Web, an alternative to desktop BitTorrent apps that uses a Web interface and is controlled by a browser. The biggest threat is posed by malicious sites that could exploit the flaw to download malicious code into the Windows startup folder, where it will be automatically run the next time the computer boots up. Any site a user visits can also access downloaded files and browse download histories.

In an e-mail sent late Tuesday afternoon, Dave Rees, VP of engineering at BitTorrent, which is the developer of the uTorrent apps, said the flaw has been fixed in a beta release of the uTorrent Windows desktop app but has not yet been delivered to users who already have the production version of the app installed.

The fixed version, uTorrent/BitTorrent 3.5.3.44352, is available here for download and will be automatically pushed out to users in the coming days. In a separate e-mail sent Tuesday evening, Rees said uTorrent Web had also been patched. "We highly encourage all uTorrent Web customers to update to the latest available build 0.12.0.502 available on our website and also via the in-application update notification," he wrote.

Earlier Tuesday, Project Zero researcher Tavis Ormandy warned that the flaws remained unfixed in uTorrent Web. Rees' later email indicated that's no longer the case. Ormandy's proof-of-concept exploits include this one for uTorrent Web and this one and this one for uTorrent desktop.

The exploits use a technique known as domain name system rebinding to make an untrusted Internet domain resolve to the local IP address of the computer running a vulnerable uTorrent app. Ormandy's exploit then funnels malicious commands through the domain to get them to execute on the computer. Last month, the researcher demonstrated similar critical vulnerabilities in the Transmission BitTorrent app.

Neither Ormandy nor Rees included any mitigation advice for vulnerable uTorrent versions. People who have either the uTorrent desktop app for Windows or uTorrent Web installed should promptly stop using them until updating to a version that fixes these critical vulnerabilities.

Tags:
information leaks
Source:
Ars Technica
1628
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015