Hi Guys!!! Do you know BitTorrent Rolls Out Questionable uTorrent Security Patch At The Last Minute? The most popular torrent client known as uTorrent used to be a very minimal and lightweight program, but BitTorrent Inc. has oppressed it down with more and more features over the years. According to Google Travis Ormandy, one of uTorrent’s features has left users wide open to a grave attack. Ormandy warned the company of the defect and sent concern it would be repaired in time for the 90-day exposure deadline. A patch is rolling out now, but it’s unclear how useful the fix will be.
BitTorrent Rolls Out Questionable uTorrent Security Patch At The Last Minute
Ormandy is part of Google’s Project Zero, a team favored with finding bugs in software before the bad guys do. As part of his work on torrent clients, Ormandy moved out to BitTorrent Inc last November with forces on a serious remote code hanging vulnerability in its uTorrent software.
A remote code execution vulnerability is bad news as it can allow an invader to take over your system entirely. Despite being a big deal, BitTorrent remained until the last minute to issue a patch.
Based on the demo given by Ormandy, uTorrent appears to have a number of DNS rebinding exploits in Windows. It’s related to the program’s remote control feature, which allows the system’s owner to handle torrents from a web browser in another location. However, the authentication token for this feature is extremely easy to discredit. With that, the attacker can install anything on a computer.
BitTorrent Inc has rolled out a patch to the beta version of the client and says the firm version will be patched within a week. The fix includes adding a second token to the web interface. Ormandy notes this does break his exploits, but he assumes this token, too, is vulnerable. If that’s the case, it may be a simple matter for someone else to update the exploit. He explains uTorrent as having “a lot of unnecessary remote attack surface.”
The company’s engineering VP Dave Rees says that the patch fixes the issue, and everyone should update. That’s sound advice, but it sounds like Ormandy was not satisfied with the patch’s effectiveness. If you’re going to continue using uTorrent, it might be smart to disable the remote access features entirely until we know for sure the DNS rebinding exploits have been fixed.
Ormandy has promised to release a series of vulnerabilities in Torrent clients. He already exposed a similar flaw in the popular Transmission torrent client.
Hope you like this post BitTorrent Rolls Out Questionable uTorrent Security Patch At The Last Minute. If you have any suggestion or quarries feel free to drop your comments below in the comments section.