One of the Internet’s most widely used BitTorrent app, uTorrent has vulnerabilities that can be easily exploited to take control of the computer on which they are installed. Two versions of uTorrent have been found to have a zero-day vulnerability that allows attackers to execute code, access downloaded fils and even snoop on download histories.
These vulnerabilities were first brought into light by a Google Project Zero research Tavis Ormandy, who said that these bugs make it possible for any website vised by the user to control functions in both the uTorrent desktop app for Windows as well as in uTorrent Web, an alternative to desktop app that uses a web interface and can be controlled from within the browser. The vulnerability will allow a malicious website to exploit the flaw and download malicious code to run from the Windows startup folder. The process will not ring any alarm bells and the malicious code will run automatically whenever the user reboots their computer. In addition, the sites also get access to downloaded files and browse download histories.
Dave Rees, VP of engineering at BitTorrent, the developer of the uTorrent apps, told ArsTechnica in an email that the flaw has been fixed in a beta release of the uTorrent Windows desktop apps but it is yet to be released for those running the stable version. It says the next release with version number 188.8.131.52352 will bring the fix and will be rolled out to users in the coming days. He also confirmed that the web version of the application has also been patched against the described flaw.
“We highly encourage all uTorrent Web customers to update to the latest available build 0.12.0.502 available on our website and also via the in-application update notification,” Rees said in an email.
Ormandy explains that the exploit uses a technique known as domain name system rebinding and creates an untrusted Internet domain resolve to the local IP address of the computer running the vulnerable uTorrent app. The exploit then routes malicious commands through the domain to get them executed on the affected computer. Ormandy also demonstrated similar vulnerability in the Transmission BitTorrent app.
While the issue is clearly demonstrated by Project Zero and BitTorrent has acknowledged that the fix is incoming. However, neither Google Project Zero nor Rees suggested any way to mitigate the issue until the fix is rolled out to all uTorrent users. Those using these popular BitTorrent apps should either stop using them or get the beta versions which have fix built-in Alternately, they should uninstall the existing versions and wait for the new version and download them again.