Serious flaw within torrenting software μTorrent

Are you one of many users of the worlds most popular torrenting client, μTorrent? If so, you should be concerned. Tavis Ormandy of Google’s Project Zero are currently warning of severe vulnerabilities within the client. These could allow an attacker remote control of your device through a malicious webpage. The developers of μTorrent, BitTorrent, have issued a patch set to roll out soon. A pro-active download of their new patched client is also offered.


Project Zero finds flaws in μTorrent

Tavis Ormandy of Google’s Project Zero recently issued a warning; Major flaws were found within the hugely popular torrenting application μTorrent. Project Zero has a 90-day policy, giving developers 90 days to fix the issues found by the group before their release to the public. The flaws were discovered in early December, meaning they recently passed their due-date and became public knowledge.

The flaws exists within the programs handling of JavaScript Object Notations (JSON) through its Remote Procedure Call (RPC) servers. μTorrent creates an RPC-server on port 1000 or 19575 for it’s Classic or Web version respectively. By performing a so-called DNS rebinding attack through JavaScript in a browser a malicious user could perform calls to the server. These calls can be made to either μTorrent Classic or the μTorrent Web App which could lead to remote code execution or loss of privacy.

Patches are coming

BitTorrent issued a patch after 80 days had passed of the Project Zero policy. Roll-out of the patch will occur in the upcoming weeks. If you are using an earlier version of the software it is recommended to download the latest build from their official page. An official statement by the developers of μTorrent, BitTorrent, has also been made regarding the flaws.

“On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user’s consent (e.g. adding a torrent).”