PDA

View Full Version : Critical vulnerability discovered in uTorrent



Nemrod
08-12-2008, 04:38 PM
Critical Vulnerability Discovered in uTorrent


A vulnerability described as ‘critical’ has been discovered in versions of uTorrent and the official BitTorrent client. The ‘buffer overflow’ vulnerability can be exploited to compromise a user’s computer for the execution of arbitrary code. It is suggested that users should immediately update to uTorrent version 1.8 RC7 or higher. There is currently no fix for the official client.

Secunia has issued two urgent security alerts, one for uTorrent and the other for the official BitTorrent client. Both clients are being developed by BitTorrent Inc.
The vulnerability was found in uTorrent and can be maliciously exploited to compromise a user’s computer, however, it also affects the official BitTorrent client since it’s based on the uTorrent code.
According to Secunia, “the vulnerability is caused due to a boundary error in the processing of .torrent files. This can be exploited to cause a stack-based buffer overflow by tricking the user into opening a .torrent file containing an overly long ‘created by’ field”.
A successful execution of the exploit would allow the attacker to run arbitrary code on the victim’s machine.
The vulnerability exists in uTorrent version 1.7.7 (Build 8179) and may well affect earlier versions too, although this isn’t yet confirmed. The flaw is also present in the official BitTorrent client, versions 6.xx.
The solution for uTorrent users is to immediately upgrade to version 1.8. Currently there is no solution for those using the official client so caution is advised when using unverified torrents.






Source: TorrentFreak

SgtMajor
08-12-2008, 04:43 PM
I recall they announced all this when 1.7 came out and we were all advised to upgrade from our beloved 1.6.1.

Some trackers went into a wet frenzy and within a week we were all confused and had to run different version of utorrent for different trackers.

Seems like a case of "forced upgrade" again? :whistling

condom-man
08-12-2008, 04:44 PM
yea right , the vulnerability was waiting to be discovered until 1.8 went gold :dabs: .this is what they said when utorrent 1.7 was released , ditch 1.6 A.S.A.P blah blah

edit : major we think alike ? :D

Nemrod
08-12-2008, 04:56 PM
I recall they announced all this when 1.7 came out and we were all advised to upgrade from our beloved 1.6.1.

Some trackers went into a wet frenzy and within a week we were all confused and had to run different version of utorrent for different trackers.

Seems like a case of "forced upgrade" again? :whistling


That was my first thought too. :yup:

I´d like to hear what some staff have to say. I don´t want to pass by that calvary again. :huh:

dunson
08-12-2008, 05:02 PM
Scam Cohen et. al. forcing you PC users to upgrade again eh?

Transmission ftw! :P

DoobieSnacks
08-12-2008, 05:04 PM
I dont see the big deal for people who use private trackers. Not like a malformed torrent would go unnoticed for long, and the uploader would be ban'd. Good to update for all you public tracker users though.

markupmaster
08-12-2008, 05:50 PM
/me facepalms..

Here we go again...

SenorBubbz
08-12-2008, 06:50 PM
I recall they announced all this when 1.7 came out and we were all advised to upgrade from our beloved 1.6.1.

Some trackers went into a wet frenzy and within a week we were all confused and had to run different version of utorrent for different trackers.

Seems like a case of "forced upgrade" again? :whistling

Dead on.

I now have a sinking feeling in my stomach about the people who "found" this vulnerability.

Sylar666
08-12-2008, 07:09 PM
Same old story. How about the new 1.8 , anyway? I've been using it for a while - so far nice and dandy.

Cabalo
08-12-2008, 08:10 PM
thank god i ditched utorrent some time ago...

Tanuki
08-12-2008, 09:04 PM
thank god i ditched utorrent some time ago...

For what?

kooftspc11
08-12-2008, 09:23 PM
thank god i ditched utorrent some time ago...

For what?

men

myfranco
08-12-2008, 10:36 PM
I really hate 1.8, 1.7.7 is way better than that.Now, they are forcing us to upgrade. I hope trackers don't follow it at all :)

NA_Magus
08-12-2008, 10:41 PM
I'll switch when major trackers require me to do so.

TP635
08-12-2008, 11:08 PM
Unless forced to by tracker, i will hold on to 1.7.7.

silvertec
08-12-2008, 11:17 PM
Isn't funny they always find something wrong with the old releases when they have new release of utorrent

I'll stick with Halite

internazionale 1908
08-13-2008, 12:34 AM
the final came out 1.8 stable build 11742 and already came out another one the build 11758 ( to Fix: magnet URI file/directory naming)... yes its normal to new build to came out but.. is the 1.8 really stable now? I use the 1.6.1 and runs like my bike!

kooftspc11
08-13-2008, 12:58 AM
I use the 1.6.1 and runs like my bike!

so are you implying that your utorrent has flat tires?

internazionale 1908
08-13-2008, 02:40 AM
so are you implying that your utorrent has flat tires?
Many people say many things about older versions... don't mean that they are all true...

Cabalo
08-13-2008, 02:45 AM
thank god i ditched utorrent some time ago...

For what?
Vuze rox !!

buggyfresh
08-13-2008, 03:39 AM
Def more scare tactics..hope this time trackers wait until ppl have tested it themselves before forcing upgrades. 1.7.7 is fine afaik

yakz091
08-13-2008, 03:40 AM
agreed man vuze rocks and gives much faster speeds than utorrent and the gui is also great and moreover it is built using java technology so it is supposed to defeat all the security vulnerabilities

Tanuki
08-13-2008, 07:30 PM
I'll switch when major trackers require me to do so.

Yep, this was the reason I switched the last time.....the tracker. :-)

aysomc
08-13-2008, 08:05 PM
its always amazing how these same problems are found right after a new version is released. ill update if i have no other choice but atm this doesnt mean a thing to me since its bullshit.

becomehokage
08-13-2008, 08:16 PM
*stuck on my 1.7.7 *

Gish
08-13-2008, 08:45 PM
So whats so good about the new release?
any big changes? for the people who are already using it

djkamikaze
08-14-2008, 07:03 AM
1.6.1 ftw