uTorrent releases Security Patch for the undisclosed Vulnerability
The lightweight, elegant, and efficient torrenting downloading client - uTorrent recently had a security flaw discovered by Google security researcher Tavis Ormandy. From the report, it is identified that there are a "remote code execution flaws" in the famous torrent clients.
The main objective of Google Project Zero team is to trap the security vulnerability found in various products and expose the bug to the manufacturer and warning them to fix the problem within the 90-day deadline, which is Google way of implementing responsible disclosure. The company should bring a patch within the restricted 90-days time limit or the flaw will be disclosed to the public without a patch being released.
Recently, Google discloses Microsoft Edge security flaw before the patch is ready. This is because the team failed to fix the problem at a given time and there is no way for Google than releasing the thread to the public to stay safe.
As we already know that uTorrent parent company BitTorrent Inc. bundled with millions of active users online every day, which is considered as the most used torrent client so far. The condition will be bad if their torrent client had an issue.
At first, Google security researcher Tavis Ormandy reached to Bram Cohen, the author of the peer-to-peer BitTorrent protocol and reported about the flaw found in their torrent client in November last year. Tavis also gave them a 90-day disclosure deadline to fix the problem. In case, if they can't achieve the goal, then the flaw will be exposed to the public to avoid unnecessary attacks.
Even after addressing the vulnerability and their deadline, BitTorrent remained silent. So, Tavis left a tweet on his Twitter account saying,
"I don't think bittorrent are going to make a 90 day disclosure deadline, do you have any direct contacts who could help? I'm not convinced they understand the severity or urgency."
@bramcohen I don't think bittorrent are going to make a 90 day disclosure deadline, do you have any direct contacts who could help? I'm not convinced they understand the severity or urgency.
— Tavis Ormandy (@taviso) January 30, 2018
In a week, BitTorrent Inc. released a patch in the Beta version but not in their stable release. David Rees, the BitTorrent's Vice President says that this will be promoted to the regular release this week if all goes well, reports Torrent Freak.
These patches are then shared with the Tavis Ormandy to inform the new update by the team.
Check the uTorrent Beta release notes below:
- Point Remote "Learn More" link to better URL
- Multiple security fixes. Thanks to Tavis Ormandy for the report.
For more details about the latest and the previous Beta release notes, please visit this page.
Tavis Ormandy discloses the information about the remote code execution after the patch is ready. Google's security researcher believes that the uTorrent's patch is not as solid and strong as BitTorrent Inc.
Hmm, it looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit. 😩
— Tavis Ormandy (@taviso) February 20, 2018
From his tweet, we believe there is a DNS rebinding issue and that allows the hacker to remotely execute code through uTorrent’s remote control feature.
And in a few hours later, he states the following,
I just fixed the exploit and verified it still works. I would recommend asking BitTorrent to resolve this issue if you're affected, and it works in the default configuration so you probably are. Sigh.
— Tavis Ormandy (@taviso) February 20, 2018