Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

uTorrent Client Affected by Some Pretty Severe Security Flaws (bleepingcomputer.com) 95

A Google security researcher has found multiple security flaws affecting the uTorrent web and desktop client that allow an attacker to infect a victim with malware or collect data on the users' past downloads, reports BleepingComputer. From the report: The vulnerabilities have been discovered by Google Project Zero security researcher Tavis Ormandy, and they impact uTorrent Web, a new web-based version of the uTorrent BitTorrent client, and uTorrent Classic, the old uTorrent client that most people know. Ormandy says that both uTorrent clients are exposing an RPC server -- on port 10000 (uTorrent Classic) and 19575 (uTorrent Web). The expert says that attackers can hide commands inside web pages that interact with this open RPC server. The attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page. Furthermore, the uTorrent clients are also vulnerable to DNS rebinding -- a vulnerability that allows the attacker to legitimize his requests to the RPC server.
This discussion has been archived. No new comments can be posted.

uTorrent Client Affected by Some Pretty Severe Security Flaws

Comments Filter:
  • Who still uses it? (Score:2, Insightful)

    by Anonymous Coward

    i thought people stopped using it once it started showing advertisements?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I still use the old v2.x uTorrent. The article doesn't state which versions are vulnerable, but I doubt mine is because it's from before they started piling on a bunch of worthless bloatware "features".

      • by Falos ( 2905315 )

        My understanding is the garbage started at v2.3 and that v2.2.1 is what you wanna stop at.

        And someone down below said it's fine. Predates the "feature" indeed.

    • "i thought people stopped using it once it started showing advertisements?"

      Just switch the ad-showing off in the settings like everybody else.

    • by muphin ( 842524 )
      i use it, you can disable the advertisements in the advanced settings.
  • "The attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page. "

    Sys admins need an addon that just removes all links from a webpage. Know the URL you want or suffer.

  • by Artem Tashkinov ( 764309 ) on Wednesday February 21, 2018 @02:24PM (#56164857) Homepage
    Just tested the sample exploits [cmpxchg8b.com] against uTorrent 2.2.1 build 25302 - none has worked.
    • All they did was add another token to break the original exploit, revised exploit still works.

    • Another reporter is confirming [chromium.org] my findings: very old uTorrent clients (3.0) are not susceptible to these attacks.
    • My build 25273:

      Trigger crash: nothing
      Pairing request: popup with request, can deny or accept. If denied, nothing
      PIN request: same as pairing request
      Device transfer: nothing

      Connected to PIA VPN, if that is relevant.

    • Heh, running on Wine huh? I'm stuck in the same boat with 2.2.1 due to a massive legacy collection. I've had 2 bungled attempts to migrate to Deluge using the uTorrent Import plugin, but I think the bugs have been worked out and the pitfalls have been found now and 3rd time will be the charm.

    • by Anonymous Coward

      I can confirm this with uTorrent 2.2.1 on Windows 7 Ultimate SP1 64-bit (on bare metal, not under Wine) -- none of the exploits in question affect it. The pairing/pinning/devxfer requests bring up confirmation dialogs to which you just pick "No" (and the dialog descriptions even tell you to pick "No" unless you explicitly have reason to otherwise).

      The more "web crap" BitTorrent began shoving into uTorrent, the worse it got. Let this be a lesson: older is better.

  • Does anyone know how it works internally? I guess that, practically speaking, its main point is having a positive impact on how Google is perceived. I also guess that they are "motivated" to find as many big bugs as possible. But there are tons of possible targets out there and finding serious bugs requires a relevant effort. Any clue about their usual approach on this front? There isn't much available information and I am honestly curious.
    • This seems like a quite good last post, at least for a while. I will be answering whatever reply, but not writing new posts. I might come back in some months, no idea. So long, Slashdot.
  • using uTorrent to download questionable files from unknown sources, or downloading the questionable files themselves?
    • "using uTorrent to download questionable files from unknown sources, ..."

      That's sort of uTorrent's thing.

  • by Dwedit ( 232252 ) on Wednesday February 21, 2018 @02:42PM (#56165035) Homepage

    Makes me glad I switched to Transmission, no BS there, just a simple torrent client.

  • I stopped using uTorrent around 1.8 or 2.0.
    Whenever they decided to put ads in the client. Moved over to qBitTorrent.
  • I thought most everyone switched to qbitorrent years ago when they started showing ads and other strange things. My main tracker doesn't even allow Utorrent anymore. I'm guessing q isn't affected by this?

    • by Anonymous Coward

      utorrent has been shit since bittorrent (the company and 'inventor' of the protocol) bought it.

      and now with the push to a 'web' version.. that's just creepy, scary, and absolutely untrustworthy.

      use. something. else. made by someone else.

    • I thought most everyone switched to qbitorrent years ago when they started showing ads and other strange things. My main tracker doesn't even allow Utorrent anymore. I'm guessing q isn't affected by this?

      Or Transmission or Deluge or Vuze or Tixati or rTorrent/rutorrent...really basically anything is better, but uTorrent got in right when Azureus started trying to add bloat to reinvent itself and Transmission was still not available on Windows, and then once all the tutorials used it began to morph into the abomination it is now.

      Even so, version 2.2.1 is the 'completed' version that is sufficiently used that it's the google autocomplete for "utorrent", and according to another poster here, it isn't vulnerabl

  • Use qBittorrent (Score:5, Insightful)

    by Jahoda ( 2715225 ) on Wednesday February 21, 2018 @03:04PM (#56165217) Homepage
    uBittorent was nerfed and winamped years ago. qBittorent has taken its place as lightweight, clean, and reliable.
    • by nmb3000 ( 741169 )

      winamped

      I've never seen this verb before, but wow it sure says a lot in a single word. Very nice.

Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.

Working...