BitTorrent client exploits could let rogue websites control your PC
Fixes are rolling out shortly.
BitTorrent's peer-to-peer app and its lightweight uTorrent counterpart are susceptible to particularly nasty hijacking flaws. Google researcher Tavis Ormandy recently detailed a host of DNS rebinding exploits in Windows versions of the software that lets attackers resolve web domains to the user's computer, essentially giving the intruders the keys to the kingdom. They could execute remote code, download malware to Windows' startup folder (making it launch on the next reboot), grab downloaded files and look at your download history. The flaws touch on all unpatched versions, including uTorrent Web.
Thankfully, fixes are either here or around the bend. Although Ormandy was concerned by the lack of communication after reporting the fix in December, BitTorrent engineering VP Dave Rees told Engadget that the flaws in the conventional client have been fixed in beta versions released last week. Those on the stable releases should see it this week. Ormandy was initially concerned that BitTorrent hadn't properly fixed uTorrent Web's problems, but Rees said a patch is now in place that should address that exploit. You can read the full statement below.
It's not certain if anyone has made use of the exploits in the wild. Having said that, you'll definitely want to update as quickly as you can. It would only take a visit to the wrong website to trigger an attack, and the consequences could be particularly severe.
"On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build 3.5.3.44352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user's consent (e.g. adding a torrent).
"BitTorrent was also made aware yesterday that it's new beta product, uTorrent Web, is vulnerable to a similar bug. This is a different product and wasn't covered by the original vulnerabilities. The team behind uTorrent Web released a patch for that issue yesterday and we highly encourage all uTorrent Web customers to update to the latest available build 0.12.0.502 available on our website https://web.utorrent.com and also via the in-application update notification.
"As always, we encourage all customers to always stay up to date."
