If you have installed world’s most popular torrent download software, μTorrent, then you should download its latest version for Windows as soon as possible.
Google’s security researcher at Project Zero discovered a serious remote code execution vulnerability in both the ‘μTorrent desktop app for Windows’ and newly launched ‘μTorrent Web’ that allows users to download and stream torrents directly into their web browser.
μTorrent Classic and μTorrent Web apps run in the background on the Windows machine and start a locally hosted HTTP RPC server on ports 10000 and 19575, respectively, using which users can access its interfaces over any web browser.
To execute DNS rebinding attack, one can simply create a malicious website with a DNS name that resolves to the local IP address of the computer running a vulnerable uTorrent app.
“This requires some simple DNS rebinding to attack remotely, but once you have the secret you can just change the directory torrents are saved to, and then download any file anywhere writable,” Ormandy explained.
Proof-of-Concept Exploits for uTorrent Software Released Publicly
Ormandy also provided proof-of-concept exploits for μTorrent Web and μTorrent desktop (1 and 2), which are capable of passing malicious commands through the domain in order to get them to execute on the targeted computer.
Last month, Ormandy demonstrated same attack technique against the Transmission BitTorrent app.
“This issue is still exploitable,” Ormandy said. “The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway.”
“I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch.”
Patch your uTorrent Software NOW!
The company assured its users that all vulnerabilities reported by Ormandy it two of its products had been addressed with the release of:
- μTorrent Stable 220.127.116.11358
- BitTorrent Stable 18.104.22.168359
- μTorrent Beta 22.214.171.124352
- μTorrent Web 0.12.0.502
All users are urged to update their software immediately.