If you are a μTorrent user on the Microsoft Windows Platform, it is advised that you download it’s latest version as soon as possible.
A security researcher from Google’s Project Zero discovered a form of remote code execution vulnerability in both desktop and web browser app of the μTorrent client.
Project Zero researcher Tavis Ormandy found that several issues that could allow remote attackers to exploit the torrent download software.
According to Ormandy, uTorrent apps are vulnerable to “domain name system rebinding”. It isa a hacking technique that could allow malicious websites to execute malicious code on user’s computer remotely.
To execute a DNS rebinding attack, the attacker just needs to create a simple malicious website with a DNS name that resolves to the local IP address of the computer running a vulnerable uTorrent app.
“This requires some simple DNS rebinding to attack remotely, but once you have the secret you can just change the directory torrents are saved to, and then download any file anywhere writable,” explained Ormandy.
He reported the issues of the uTorrent client in November 2017 with a 90-days disclosure deadline, and a patch was made public on Tuesday—that’s almost 80 days after the initial disclosure but the re-issued new security patches the same day were ineffective as Ormandy found that the exploits continued to work successfully with just a few small tweaks.
“This issue is still exploitable,” Ormandy said. “The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway.”
“I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch.”
On the other hand, BitTorrent assured it’s users that all vulnerabilities had been addressed with the the following releases:
- μTorrent Stable 18.104.22.168358
- BitTorrent Stable 22.214.171.124359
- μTorrent Beta 126.96.36.199352
- μTorrent Web 0.12.0.502