A New Vulnerability Discovered in μTorrent - gHacks Tech News

A New Vulnerability Discovered in μTorrent

As far as file-sharing protocols go, BitTorrent has emerged as one of the leading P2P technologies being used. μTorrent is one of the most popular BitTorrent apps around, largely because of its small size and ease of use. While μTorrent used to be an independent client, it has since been taken over by BitTorrent Inc. which has partnerships with almost all the major movie networks.

μTorrent has recently been found to contain a very serious security vulnerability. Apparently, there is a boundary error in the processing of ‘.torrent' files, which can be exploited to cause a stack-based buffer overflow.

What this means is that someone can create a malicious torrent file and place his or her own code in the ‘created by' section of the torrent. This code may be harmless or something serious like allowing the hacker access to the machine that runs the .torrent file.

Older versions of μTorrent do not limit the amount of data that can be present in the ‘created by' section of a torrent file so this problem exists in all μTorrent version prior to 1.8. All users are requested to download μTorrent 1.8 Release Candidate 7, which has been patched to fix this problem.

While the security vulnerability sounds serious enough, I'm a little skeptical of how dangerous it actually is. A user would have to intentionally download a corrupt torrent file and run it. Plus, indexing sites list torrent contents including the creator of the torrent so you can easily avoid files that look suspicious.

Personally, I think this is another way for BitTorrent Inc. to convince users of old versions of μTorrent to upgrade to the newer one. Considering their links with the movie industry, it doesn't sound so far-fetched.

Would you upgrade to the newest version of μTorrent? I'm using version 1.6 myself, which is the last version released before BitTorrent Inc. took over. Should I upgrade or stay with my old version? Let me know in the comments.

Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Boss said on August 17, 2008 at 9:34 am
    Reply

    I can almost bet that the new owners of utorrent have implanted a backdoor so they can easily monitor what you download and so on to better make a case against you in the future.

  2. Rarst said on August 17, 2008 at 10:09 am
    Reply

    >All users are requested to download μTorrent 1.8 Release Candidate 7, which has been patched to fix this problem.

    There is final 1.8 release out, not much sense in downloading RC7. :)

    >Would you upgrade to the newest version of μTorrent?

    I upgrade to latest, they simplified RSS downloading (not perfect still… but big improvement) and some local trackers I visit mostly ban old versions of clients to escape mess with supporting them.

    >I can almost bet that the new owners of utorrent have implanted a backdoor so they can easily monitor what you download and so on to better make a case against you in the future.

    Yeah, sure and they are hiding truth about aliens as well. :)

  3. darkkosmos said on August 17, 2008 at 10:47 am
    Reply

    I would if only I figured out how to upgrade on debian servers -.-. Well I’m getting a ubuntu or windows server next!! As for my laptop yes since the new features are free anyway (I don’t have it though).

  4. unruled said on August 17, 2008 at 3:37 pm
    Reply

    I agree with Rarst… I don’t think one ought to be this suspicious about it.

    As for myself, on private bittorent sites, they often ban clients (or client versions) which are deemed insecure or unreliable. Hence, yes, I have already upgraded to 1.8(11813)

  5. BillyG said on August 17, 2008 at 4:28 pm
    Reply

    Ease of use? I dl’d my first torrent this week, the opening ceremony of the Olympics, but I couldn’t for the life of me figure out how to view it after it created a folder with 50+ files for me.

    I tried VLC, MPC, WMP, and Miro – nothing worked. It was prolly just my green ass, but in the end, I just deleted the folder and screamed at myself for being too lazy to load the VCR that night before heading out to a 70’s party. And yea, I uninstalled utorrent too – although it prolly isn’t their fault…

  6. dianoga said on August 17, 2008 at 5:12 pm
    Reply

    BillyG, I don’t know what files you downloaded, but in your case, you probably have to use winrar or another archiver to extract the video or whatever is in those 50+ files. Do they have the extension .rar or .001+? If so, you need to extract them before you can play them in a media player.

  7. AndyJ said on August 18, 2008 at 5:12 am
    Reply

    I use an old version of uTorrent. It does the job for me so i don’t feek the need to upgrade to a new version.

  8. garbanzo said on August 19, 2008 at 10:21 am
    Reply

    there still remains an inherent and debilitating vulnerability that will never be fixed – uTorrent is a torrent client! i stopped using torrents a long time ago, it’s just too easy for people to see exactly what you are downloading.

    rapidshare forever!

  9. BillyG said on August 20, 2008 at 5:16 am
    Reply

    @dianoga: exactly many files named xxx.001, xxx.002, etc. Guess I know now, thx. Sure seems like a lot of work, damn I should’ve just loaded that ol’ VCR!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.