uTorrent releases Security Patch for the undisclosed Vulnerability

By Aravindhsriram / February 21, 2018

The lightweight, elegant, and efficient torrenting downloading client - uTorrent recently had a security flaw discovered by Google security researcher Tavis Ormandy. From the report, it is identified that there are a "remote code execution flaws" in the famous torrent clients.

The main objective of Google Project Zero team is to trap the security vulnerability found in various products and expose the bug to the manufacturer and warning them to fix the problem within the 90-day deadline, which is Google way of implementing responsible disclosure. The company should bring a patch within the restricted 90-days time limit or the flaw will be disclosed to the public without a patch being released.

Recently, Google discloses Microsoft Edge security flaw before the patch is ready. This is because the team failed to fix the problem at a given time and there is no way for Google than releasing the thread to the public to stay safe.

As we already know that uTorrent parent company BitTorrent Inc. bundled with millions of active users online every day, which is considered as the most used torrent client so far. The condition will be bad if their torrent client had an issue.

At first, Google security researcher Tavis Ormandy reached to Bram Cohen, the author of the peer-to-peer BitTorrent protocol and reported about the flaw found in their torrent client in November last year. Tavis also gave them a 90-day disclosure deadline to fix the problem. In case, if they can't achieve the goal, then the flaw will be exposed to the public to avoid unnecessary attacks.

Even after addressing the vulnerability and their deadline, BitTorrent remained silent. So, Tavis left a tweet on his Twitter account saying,

"I don't think bittorrent are going to make a 90 day disclosure deadline, do you have any direct contacts who could help? I'm not convinced they understand the severity or urgency."

In a week, BitTorrent Inc. released a patch in the Beta version but not in their stable release. David Rees, the BitTorrent's Vice President says that this will be promoted to the regular release this week if all goes well, reports Torrent Freak.

These patches are then shared with the Tavis Ormandy to inform the new update by the team.

Check the uTorrent Beta release notes below:

For more details about the latest and the previous Beta release notes, please visit this page.

Tavis Ormandy discloses the information about the remote code execution after the patch is ready. Google's security researcher believes that the uTorrent's patch is not as solid and strong as BitTorrent Inc.

From his tweet, we believe there is a DNS rebinding issue and that allows the hacker to remotely execute code through uTorrent’s remote control feature.

And in a few hours later, he states the following,

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: