14 DAY TRIAL // Back in January, Google Project Zero researcher Tavis Ormandy disclosed a vulnerability in BitTorrent app Transmission, explaining that a similar problem could exist in other clients as well.
In a new report this week, Ormandy reveals a similar security vulnerability in uTorrent, which at this point is one of the most popular BitTorrent clients on the desktop.
The issue was reported to BitTorrent in November, but just like the security researcher predicted, the parent company failed to issue a patch in the 90-day window that’s offered to resolve bugs found as part of the Project Zero program, so details were posted online this week.
The flaw exists in the web interface that allows users to control the BitTorrent client remotely, and if exploited, it could enable an attacker to get control of the vulnerable computer.
Vulnerability not fixed in latest beta
The developing company, however, says it has already prepared a patch that’s currently available as part of the latest beta release, and according to a report from TorrentFreak, it was projected to be pushed to the stable channel as soon as this week.
But as it turns out, the patch, which has also been shared with Ormandy, only renders the original exploit useless, rather than addressing the vulnerability altogether.
“It looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit,” Ormandy explained on Twitter. “It just fixed the exploit and verified it still works. I would recommend asking BitTorrent to resolve this issue if you’re affected, and it works in the default configuration so you probably are.”
BitTorrent hasn’t provided an updated statement to share new details on how and when it plans to ship a new patch, but with vulnerability info now public, the company should do this as soon as possible. The latest uTorrent update was published on February 17 to version 3.5.3 Build 44352 Beta. The most recent stable update is dated December 24 – version 3.5.1 Build 44332.