A Google Project Zero researcher has discovered critical bugs in two versions of the popular uTorrent app. With millions of daily users, uTorrent is considered one of the most widely used torrent clients. However, parent company BitTorrent was alerted to the serious security issue. Google researcher Tavis Ormandy has detailed several exploits in Windows versions of the software that lets attackers intrude into a user's computer.
Because it is a DNS rebinding issue, hackers can potentially execute remote code, download malware to the computer's startup folder, launch malware on reboot, access downloaded files, as well as peep at the user's download history, Ormandy said. While the exploit affects all unpatched versions, it primarily affects uTorrent Web, the newer version of the popular BitTorrent client, as it has a serious remote code execution bug, as per the Google researcher. The examples of exploits, as mentioned by Ormandy, include one for uTorrent Web, and two for uTorrent desktop.
Meanwhile, as per a TorrentFreak report, BitTorrent had rolled out a 'patch' in the latest Beta release and promises to fix the stable uTorrent client soon. Later, in an official statement, the company said, "Our fix is complete and is available in the most recent beta release (build 18.104.22.168352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user's consent (e.g. adding a torrent)."
However, Ormandy had expressed his displeasure with BitTorrent's response. He said, BitTorrent just added a second token to uTorrent Web which does not solve the issue. Further, he wrote, "I just fixed the exploit and verified it still works. I would recommend asking BitTorrent to resolve this issue if you're affected, and it works in the default configuration so you probably are. Sigh."
It is not clear if an attacker has made use of the exploits in the wild. However, it will only take one visit to a targeted website to trigger a hack. In order to stay safe, users can either disable uTorrent for now or upgrade to the latest Beta release. The uTorrent version 22.214.171.124352, is available for download and uTorrent Web users can update to the latest available build 0.12.0.502.