If you have installed world’s most common torrent download software, μTorrent, then you should download its latest design for Windows as soon as possible.
Google’s security researcher at Project Zero discovered a serious remote code execution vulnerability in both the ‘μTorrent desktop app for Windows’ as well as newly launched ‘μTorrent Web’ which allows users to download as well as stream torrents directly into their web browser.
μTorrent Classic as well as μTorrent Web apps run inside the background on the Windows machine as well as start a locally hosted HTTP RPC server on ports 10000 as well as 19575, respectively, using which users can access its interfaces over any web browser.
However, Project Zero researcher Tavis Ormandy found which several issues with these RPC servers could allow remote attackers to take control of the torrent download software with little user interaction.
According to Ormandy, uTorrent apps are vulnerable to a hacking technique called the “domain name system rebinding” which could allow any malicious website a user visits to execute malicious code on user’s computer remotely.
To execute DNS rebinding attack, one can simply create a malicious website using a DNS name which resolves to the local IP address of the computer running a vulnerable uTorrent app.
“This specific requires some simple DNS rebinding to attack remotely, however once you hold the secret you can just change the directory torrents are saved to, as well as then download any file anywhere writable,” Ormandy explained.
Proof-of-Concept Exploits for uTorrent Software Released Publicly
Ormandy also provided proof-of-concept exploits for μTorrent Web as well as μTorrent desktop (1 as well as 2), which are capable of passing malicious commands through the domain in order to get them to execute on the targeted computer.
Last month, Ormandy demonstrated same attack technique against the Transmission BitTorrent app.
Ormandy reported BitTorrent of the issues with the uTorrent client in November 2017 using a 90-days disclosure deadline, however a patch was made public on Tuesday—which’s almost 80 days after the initial disclosure.
What’s more? The re-issued fresh security patches the same day after Ormandy found which his exploits continued to work successfully inside the default configuration using a modest tweak.
“This specific issue can be still exploitable,” Ormandy said. “The vulnerability can be at This specific point public because a patch can be available, as well as BitTorrent have already exhausted their 90 days anyway.”
“I see no additional option for affected users however to stop using uTorrent Web as well as contact BitTorrent as well as request a comprehensive patch.”
Patch your uTorrent Software at This specific point!
The company assured its users which all vulnerabilities reported by Ormandy the idea two of its products had been addressed with the Discharge of:
- μTorrent Stable 126.96.36.199358
- BitTorrent Stable 188.8.131.52359
- μTorrent Beta 184.108.40.206352
- μTorrent Web 0.12.0.502
All users are urged to update their software immediately.