Latest uTorrent bug can control your computer to steal downloads

Latest uTorrent bug can control your computer to steal downloads

Two versions of uTorrent, one of the Internet’s most widely used BitTorrent apps, have easy to exploit vulnerabilities that allow attackers to execute code, access downloaded files, and snoop on download histories recently discovered by a Google researcher. uTorrent developers are in the process of rolling out fixes for both the uTorrent desktop app for Windows and the newer uTorrent Web product.  The security breach only occurs for uTorrent users.

The vulnerabilities, according to Google make it possible for any website when a user visits to control key functions in both the uTorrent desktop app for Windows and in uTorrent Web, an alternative to desktop BitTorrent apps that uses a Web interface and is controlled by a browser. The biggest threat is posed by malicious sites that could exploit the flaw to download malicious code into the Windows startup folder, where it will be automatically run the next time the computer boots up. Any web site is open to the attack.

Customers and developers of 3rd-party applications that rely on the default-open state of port 10000 should be aware that moving forward, clients will no longer be discoverable over port 10000. Pairing negotiation is now only allowed over a mutually agreed upon port. Customers can set this port manually by enabling WebUI functionality via Advanced->WebUI-> Enable Web UI and then specifying a port under the Connectivity section.

In an e-mail sent late Tuesday afternoon, Dave Rees, VP of engineering at BitTorrent, which is the developer of the uTorrent apps, said the flaw has been fixed in a beta release of the uTorrent Windows desktop app but has not yet been delivered to users who already have the production version of the app installed. The fixed version, uTorrent/BitTorrent 3.5.3.44352, is available here for download and will be automatically pushed out to users in the coming days. In a separate e-mail sent Tuesday evening, Rees said uTorrent Web had also been patched. “We highly encourage all uTorrent Web customers to update to the latest available build 0.12.0.502 available on our website and also via the in-application update notification,” he wrote.