BitTorrent Rolls Out Questionable uTorrent Security Patch At The Last Minute

BitTorrent Rolls Out Questionable uTorrent Security Patch At The Last Minute

The popular torrent client known as uTorrent used to be a very minimal and lightweight program, but BitTorrent Inc. has loaded it down with more and more features over the years. According to Googler Travis Ormandy, one of uTorrent’s features has left users wide open to a serious attack. Ormandy alerted the company to the flaw and expressed concern it would be patched in time for the 90-day disclosure deadline. A patch is rolling out now, but it’s unclear how effective the fix will be.

Ormandy is part of Google’s Project Zero, a team dedicated to finding bugs in software before the bad guys do. As part of his work on torrent clients, Ormandy reached out to BitTorrent Inc last November with details on a serious remote code execution vulnerability in its uTorrent software. A remote code execution vulnerability is bad news as it can allow an attacker to take over your system completely. Despite being a big deal, BitTorrent waited until the last minute to issue a patch.

Based on the demo provided by Ormandy, uTorrent appears to have a number of DNS rebinding exploits in Windows. It’s related to the program’s remote control feature, which allows the system’s owner to manage torrents from a web browser in another location. However, the authentication token for this feature is ridiculously easy to compromise. With that, the attacker can install anything on a computer.

BitTorrent Inc has rolled out a patch to the beta version of the client and says the stable version will be patched within a week. The fix involves adding a second token to the web interface. Ormandy notes this does break his exploits, but he believes this token, too, is vulnerable. If that’s the case, it may be a simple matter for someone else to update the exploit. He describes uTorrent as having “a lot of unnecessary remote attack surface.”

I just fixed the exploit and verified it still works. I would recommend asking BitTorrent to resolve this issue if you're affected, and it works in the default configuration so you probably are. Sigh.

— Tavis Ormandy (@taviso) February 20, 2018

The company’s engineering VP Dave Rees says that the patch fixes the issue, and everyone should update. That’s sound advice, but it sounds like Ormandy was not convinced of the patch’s effectiveness. If you’re going to continue using uTorrent, it might be smart to disable the remote access features entirely until we know for sure the DNS rebinding exploits have been fixed.

Ormandy has promised to release a series of vulnerabilities in Torrent clients. He already exposed a similar flaw in the popular Transmission torrent client.

Continue reading

Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon
Samsung Starts Rolling Out Galaxy S20 Android 11 Update on Verizon

Not only does this include the Googley Android 11 enhancements, but it also has numerous Samsung-specific changes as part of the One UI 3.0 revamp.

Seagate Announces Its Own RISC-V Cores for Future Storage Controllers
Seagate Announces Its Own RISC-V Cores for Future Storage Controllers

To hit its 50TB per-drive target over the next few years, Seagate decided it needed a custom storage controller. RISC-V offered a solution.

Microsoft Denies Cutting Secret Deal With Duracell Over Xbox Controllers
Microsoft Denies Cutting Secret Deal With Duracell Over Xbox Controllers

Despite earlier rumors, there is no secret deal between Microsoft and Duracell to keep the Xbox controller using old AA technology.

PlayStation 5 Controllers are Suffering from Drift
PlayStation 5 Controllers are Suffering from Drift

Nintendo may have company in the unreliable controller market, though gamers aren’t going to be pleased with this particular method of feature-matching. Instead of, say, a PlayStation 5 you fold up and carry in your pocket without setting your pants on fire, the PlayStation 5 DualSense controller is apparently suffering from drift.The DualSense controller has…