uTorrent is arguably the most popular BitTorrent client. The app allows users to connect to a peer-to-peer network and download/share files. In a recent turn of events, it is discovered that two versions of uTorrent are found susceptible to attacks. The revelation was done by Google Project Zero, and the developers have already been informed.
While the patches are on the way, it is essential to know how the vulnerability allowed hackers to control key features on both uTorrent desktop app for Windows and the uTorrent Web. That apart Malicious sites could simply exploit the vulnerability and inject their codes into the Windows Startup folder. Next time the computer boots it would automatically run the malicious code. With such an arrangement in place, attackers can exploit the flaw and access downloaded files and download histories as well.
Dave Rees, VP of Engineering at BitTorrent has said that the flaw has been already fixed in the beta release of the uTorrent Windows desktop app, but the same is yet to be done for the production version.
Meanwhile, you can download the patched uTorrent/BitTorrent 188.8.131.52352. This makeshift arrangement should work fine until uTorrent releases an update/patch to the production version as well. However, on Tuesday the BitTorrent VP said that the uTorrent Web had been patched.
“We highly encourage all uTorrent Web customers to update to the latest available build 0.12.0.502 available on our website and also via the in-application update notification.” -Dave Rees, uTorrent.
The statement came right after Project Zero researcher Tavis Ormandy warned that the flaws on the uTorrent Web remained unfixed. The proof of concept exploits covers both the uTorrent Web and the uTorrent desktop app. It explains how attackers can use a method usually referred to as domain name system rebinding and make an untrusted internet domain to resolve the local IP address of the computer that is running the vulnerable version of the uTorrent app. Later the malicious codes/payloads are transferred through the domain and will be executed on the computer.
I would personally recommend uTorrent users to stop using the app until its fixed.