Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Google Finds uTorrent Security Flaw, BitTorrent Releases Useless Patch
#1
http://news.softpedia.com/news/google-fi...9886.shtml      Google Finds uTorrent Security Flaw, BitTorrent Releases Useless Patch
BitTorrent says it fixed the problem in the latest beta
Feb 21, 2018 10:06 GMT  ·  By Bogdan Popa ·  Share:      
Back in January, Google Project Zero researcher Tavis Ormandy disclosed a vulnerability in BitTorrent app Transmission, explaining that a similar problem could exist in other clients as well.

In a new report this week, Ormandy reveals a similar security vulnerability in uTorrent, which at this point is one of the most popular BitTorrent clients on the desktop.

The issue was reported to BitTorrent in November, but just like the security researcher predicted, the parent company failed to issue a patch in the 90-day window that’s offered to resolve bugs found as part of the Project Zero program, so details were posted online this week.

The flaw exists in the web interface that allows users to control the BitTorrent client remotely, and if exploited, it could enable an attacker to get control of the vulnerable computer.

Vulnerability not fixed in latest beta
The developing company, however, says it has already prepared a patch that’s currently available as part of the latest beta release, and according to a report from TorrentFreak, it was projected to be pushed to the stable channel as soon as this week.

But as it turns out, the patch, which has also been shared with Ormandy, only renders the original exploit useless, rather than addressing the vulnerability altogether.

“It looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit,” Ormandy explained on Twitter. “It just fixed the exploit and verified it still works. I would recommend asking BitTorrent to resolve this issue if you’re affected, and it works in the default configuration so you probably are.”

BitTorrent hasn’t provided an updated statement to share new details on how and when it plans to ship a new patch, but with vulnerability info now public, the company should do this as soon as possible. The latest uTorrent update was published on February 17 to version 3.5.3 Build 44352 Beta. The most recent stable update is dated December 24 – version 3.5.1 Build 44332.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Google Uncovers 18 Severe Security Vulnerabilities in Samsung Exynos Chips mrtrout 0 381 03-19-2023 , 06:31 PM
Last Post: mrtrout
  Microsoft and Google release urgent browser security update for Risk Level 4 Drive-b mrtrout 0 701 08-23-2021 , 09:13 AM
Last Post: mrtrout
  Google releases Chrome 90 with HTTPS by default and security fixes Imran 0 975 04-15-2021 , 03:00 PM
Last Post: Imran
  uTorrent Continues to be Flagged as ‘Severe Threat’ and It’s Not alone mrtrout 0 774 03-19-2021 , 08:23 AM
Last Post: mrtrout
  FireEye finds new malware likely linked to SolarWinds hackers Bjyda 0 1,341 03-04-2021 , 07:15 PM
Last Post: Bjyda

Forum Jump:


Users browsing this thread: 1 Guest(s)