uTorrent Client Affected by Some Pretty Severe Security Flaws (bleepingcomputer.com) 95
A Google security researcher has found multiple security flaws affecting the uTorrent web and desktop client that allow an attacker to infect a victim with malware or collect data on the users' past downloads, reports BleepingComputer. From the report: The vulnerabilities have been discovered by Google Project Zero security researcher Tavis Ormandy, and they impact uTorrent Web, a new web-based version of the uTorrent BitTorrent client, and uTorrent Classic, the old uTorrent client that most people know. Ormandy says that both uTorrent clients are exposing an RPC server -- on port 10000 (uTorrent Classic) and 19575 (uTorrent Web). The expert says that attackers can hide commands inside web pages that interact with this open RPC server. The attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page. Furthermore, the uTorrent clients are also vulnerable to DNS rebinding -- a vulnerability that allows the attacker to legitimize his requests to the RPC server.
Who still uses it? (Score:2, Insightful)
i thought people stopped using it once it started showing advertisements?
Re:Who still uses it? (Score:5, Funny)
Still shows up as the top downloaded BitTorrent client on CNET and Softpedia
I thought people stopped using CNET once it started bundling adware?
Re: (Score:2, Insightful)
I still use the old v2.x uTorrent. The article doesn't state which versions are vulnerable, but I doubt mine is because it's from before they started piling on a bunch of worthless bloatware "features".
Re: (Score:2)
My understanding is the garbage started at v2.3 and that v2.2.1 is what you wanna stop at.
And someone down below said it's fine. Predates the "feature" indeed.
Re: (Score:2)
"i thought people stopped using it once it started showing advertisements?"
Just switch the ad-showing off in the settings like everybody else.
Re: (Score:1)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
Yet another "don't click shit" (Score:2)
"The attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page. "
Sys admins need an addon that just removes all links from a webpage. Know the URL you want or suffer.
Really classic uT doesn't seem to be vulnerable (Score:5, Informative)
Re: (Score:2)
All they did was add another token to break the original exploit, revised exploit still works.
Re: (Score:3)
Re: (Score:3)
My build 25273:
Trigger crash: nothing
Pairing request: popup with request, can deny or accept. If denied, nothing
PIN request: same as pairing request
Device transfer: nothing
Connected to PIA VPN, if that is relevant.
Re: (Score:2)
Heh, running on Wine huh? I'm stuck in the same boat with 2.2.1 due to a massive legacy collection. I've had 2 bungled attempts to migrate to Deluge using the uTorrent Import plugin, but I think the bugs have been worked out and the pitfalls have been found now and 3rd time will be the charm.
Re: (Score:1)
I can confirm this with uTorrent 2.2.1 on Windows 7 Ultimate SP1 64-bit (on bare metal, not under Wine) -- none of the exploits in question affect it. The pairing/pinning/devxfer requests bring up confirmation dialogs to which you just pick "No" (and the dialog descriptions even tell you to pick "No" unless you explicitly have reason to otherwise).
The more "web crap" BitTorrent began shoving into uTorrent, the worse it got. Let this be a lesson: older is better.
Re: (Score:2)
Re: (Score:2)
What's the greater risk (Score:1)
Re: (Score:2)
"using uTorrent to download questionable files from unknown sources, ..."
That's sort of uTorrent's thing.
Transmission (Score:3)
Makes me glad I switched to Transmission, no BS there, just a simple torrent client.
Re: (Score:2)
Has this vulnerability in Transmission been fixed? https://www.securityweek.com/c... [securityweek.com]
Re: (Score:2)
Has this vulnerability in Transmission been fixed? https://www.securityweek.com/c... [securityweek.com]
Throwing away the mod points I've used in this thread so I can answer you:
Yes, it was [github.com].
Re: (Score:2)
Thanks (and apologies for the wasted points.) I did a quick search and found references to the vulnerability but none on a fix. Bad google foo I guess.
Re: (Score:2)
No problem, I was glad to participate in this discussion. Vulnerabilities pop up and (sometimes) get fixed so fast it's hard to keep up.
Meh (Score:1)
Whenever they decided to put ads in the client. Moved over to qBitTorrent.
qbitorrent ? (Score:2)
I thought most everyone switched to qbitorrent years ago when they started showing ads and other strange things. My main tracker doesn't even allow Utorrent anymore. I'm guessing q isn't affected by this?
Re: (Score:1)
utorrent has been shit since bittorrent (the company and 'inventor' of the protocol) bought it.
and now with the push to a 'web' version.. that's just creepy, scary, and absolutely untrustworthy.
use. something. else. made by someone else.
Re: (Score:2)
I thought most everyone switched to qbitorrent years ago when they started showing ads and other strange things. My main tracker doesn't even allow Utorrent anymore. I'm guessing q isn't affected by this?
Or Transmission or Deluge or Vuze or Tixati or rTorrent/rutorrent...really basically anything is better, but uTorrent got in right when Azureus started trying to add bloat to reinvent itself and Transmission was still not available on Windows, and then once all the tutorials used it began to morph into the abomination it is now.
Even so, version 2.2.1 is the 'completed' version that is sufficiently used that it's the google autocomplete for "utorrent", and according to another poster here, it isn't vulnerabl
Use qBittorrent (Score:5, Insightful)
Re: (Score:2)
winamped
I've never seen this verb before, but wow it sure says a lot in a single word. Very nice.