World's most popular torrent download software µTorrent has been detected with multiple security flaws. If you have this software installed on your computer, it's time to download its latest version for windows as soon as possible.
The serious remote code execution vulnerability that lets attackers intrude into a user's computer is discovered by Google's security researcher Tavis Ormandy in both µTorrent classic version and the newly launched µTorrent Web version.
According to Ormandy's report, "By default, µTorrent create an HTTP RPC server on port 10000 (µTorrent classic) or 19575 (µTorrent web). There are numerous problems with these RPC servers that can be exploited by any website using XMLHttpRequest(). To be clear, visiting *any* website is enough to compromise these applications." So, the flaws in RPC servers could allow any remote attackers to take control of the Torrent download software with little user interaction.
Through "domain name system rebinding", a hacking technique, hackers could potentially execute remote code, download malware to system's startup folder, launch malware on reboot, access downloaded files, as well as track user's download history, said Ormandy. To execute DNS rebinding attack, one can simply create a malicious website with a DNS name that resolves to the local IP address of the computer running a vulnerable µTorrent app.
Ormandy mentioned that there is one exploit for µTorrent web and two for µTorrent Desktop. Though the exploit affects all unpatched versions, it primarily affects the newly launched µTorrent web as it has a severe remote code execution bug. To report the security flaw, Ormandy reached out to BitTorrent in November last year. Google's Project Zero allows developers to fix the security flaws within 90days. The deadline was creeping up but BitTorrent remained silent. Recently, Ormandy again reached out to BitTorrent Inc's Bram Cohen, fearing that the company might not fix the vulnerability in time.
Ormandy being the security researcher from Google might have expected a more swift response, the issue was not ignored completely. He believes he could retrieve other data from the µTorrent Web client but since he obtained a full compromise of the client from the get-go, he did not investigate further.
Meanwhile, BitTorrent has rolled out a ‘patch' in the latest Beta release. It has released version 3.5.3 Beta for the µTorrent Classic client to address the issues, which is expected to reach the stable branch in the coming days. The patched version of the µTorrent web is v0.12.0.502.
In an official statement, the company said, "Our fix is complete and is available in the most recent beta release (build 220.127.116.11352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger the client without the user's consent (e.g. adding a torrent)."
However, Ormandy expressed his displeasure with the response because according to him, BitTorrent just added a second token to µTorrent Web which does not solve the issue. It will only take one visit to a targeted website to trigger a hack. In order to stay safe, users are advised to upgrade the latest beta release or disable µTorrent for now.