Latest in Gear

Image credit:

BitTorrent client exploits could let rogue websites control your PC

Fixes are rolling out shortly.
Jon Fingas, @jonfingas
February 21, 2018
Share
Tweet
Share

Sponsored Links

Jon Fingas/Engadget

BitTorrent's peer-to-peer app and its lightweight uTorrent counterpart are susceptible to particularly nasty hijacking flaws. Google researcher Tavis Ormandy recently detailed a host of DNS rebinding exploits in Windows versions of the software that lets attackers resolve web domains to the user's computer, essentially giving the intruders the keys to the kingdom. They could execute remote code, download malware to Windows' startup folder (making it launch on the next reboot), grab downloaded files and look at your download history. The flaws touch on all unpatched versions, including uTorrent Web.

Thankfully, fixes are either here or around the bend. Although Ormandy was concerned by the lack of communication after reporting the fix in December, BitTorrent engineering VP Dave Rees told Engadget that the flaws in the conventional client have been fixed in beta versions released last week. Those on the stable releases should see it this week. Ormandy was initially concerned that BitTorrent hadn't properly fixed uTorrent Web's problems, but Rees said a patch is now in place that should address that exploit. You can read the full statement below.

It's not certain if anyone has made use of the exploits in the wild. Having said that, you'll definitely want to update as quickly as you can. It would only take a visit to the wrong website to trigger an attack, and the consequences could be particularly severe.

"On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build 3.5.3.44352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user's consent (e.g. adding a torrent).

"BitTorrent was also made aware yesterday that it's new beta product, uTorrent Web, is vulnerable to a similar bug. This is a different product and wasn't covered by the original vulnerabilities. The team behind uTorrent Web released a patch for that issue yesterday and we highly encourage all uTorrent Web customers to update to the latest available build 0.12.0.502 available on our website https://web.utorrent.com and also via the in-application update notification.

"As always, we encourage all customers to always stay up to date."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Engadget's 2020 Back-to-School Guide

Engadget's 2020 Back-to-School Guide

View
Our readers get real about their issues with the AirPods Pro

Our readers get real about their issues with the AirPods Pro

View
Space Force official logo and motto unveiled

Space Force official logo and motto unveiled

View
Microsoft's Surface Duo may launch with AT&T

Microsoft's Surface Duo may launch with AT&T

View
Disney has no idea what it's doing with 'Mulan'

Disney has no idea what it's doing with 'Mulan'

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr