Bit Torrent’s peer-to-peer app and its uTorrent counterpart susceptible to a depraved Hijacking Errancy.

Google researcher Tavis Ormandy recently detailed a host of DNS rebinding exploits in Windows versions of Bit Torrent’s peer-to-peer app and its lightweight uTorrent counterpart.

The rebinding exploits lets attackers resolve web domains to the user's computer, essentially giving them illegal access to the user’s personal data.This illegal approach could help them to execute remote code, download malware to Windows' start up folder, grab downloaded files and access the download history of the user.

The flaws address on all unpatched versions, including uTorrent Web. Bit Torrent engineering VP Dave Rees says that the flaws in the conventional client have been fixed in beta versions released last week. Adding further that those that are on the stable releases are set to release in the coming week.

Ormandy was initially more concerned that Bit Torrent hadn't appropriately settled uTorrent Web's issues and also partly stressed by the recurring in lack of communication after reporting the fix in December, but Rees later added that the patch is now in place that should address that exploit, the full statement of his is below:

"On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and Bit Torrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user's consent (e.g. adding a torrent).”

"Bit Torrent was also made aware yesterday that its new beta product, uTorrent Web, is vulnerable to a similar bug. This is a different product and wasn't covered by the original vulnerabilities. The team behind uTorrent Web released a patch for that issue yesterday and we highly encourage all uTorrent Web customers to update to the latest available build available on our website and also via the in-application update notification.”

"As always, we encourage all customers to always stay up to date."

It's not certain till now whether anyone has made use of the exploits in the wild or not. Having said that, it’s smarter to stay wary as it would only take a visit to the wrong website to trigger an attack, and the consequences following it could be particularly severe.
Category: / /

Share this with Your friends: