A New Vulnerability Discovered in μTorrent
As far as file-sharing protocols go, BitTorrent has emerged as one of the leading P2P technologies being used. μTorrent is one of the most popular BitTorrent apps around, largely because of its small size and ease of use. While μTorrent used to be an independent client, it has since been taken over by BitTorrent Inc. which has partnerships with almost all the major movie networks.
μTorrent has recently been found to contain a very serious security vulnerability. Apparently, there is a boundary error in the processing of ‘.torrent' files, which can be exploited to cause a stack-based buffer overflow.
What this means is that someone can create a malicious torrent file and place his or her own code in the ‘created by' section of the torrent. This code may be harmless or something serious like allowing the hacker access to the machine that runs the .torrent file.
Older versions of μTorrent do not limit the amount of data that can be present in the ‘created by' section of a torrent file so this problem exists in all μTorrent version prior to 1.8. All users are requested to download μTorrent 1.8 Release Candidate 7, which has been patched to fix this problem.
While the security vulnerability sounds serious enough, I'm a little skeptical of how dangerous it actually is. A user would have to intentionally download a corrupt torrent file and run it. Plus, indexing sites list torrent contents including the creator of the torrent so you can easily avoid files that look suspicious.
Personally, I think this is another way for BitTorrent Inc. to convince users of old versions of μTorrent to upgrade to the newer one. Considering their links with the movie industry, it doesn't sound so far-fetched.
Would you upgrade to the newest version of μTorrent? I'm using version 1.6 myself, which is the last version released before BitTorrent Inc. took over. Should I upgrade or stay with my old version? Let me know in the comments.
Advertisement
@dianoga: exactly many files named xxx.001, xxx.002, etc. Guess I know now, thx. Sure seems like a lot of work, damn I should’ve just loaded that ol’ VCR!
there still remains an inherent and debilitating vulnerability that will never be fixed – uTorrent is a torrent client! i stopped using torrents a long time ago, it’s just too easy for people to see exactly what you are downloading.
rapidshare forever!
I use an old version of uTorrent. It does the job for me so i don’t feek the need to upgrade to a new version.
BillyG, I don’t know what files you downloaded, but in your case, you probably have to use winrar or another archiver to extract the video or whatever is in those 50+ files. Do they have the extension .rar or .001+? If so, you need to extract them before you can play them in a media player.
Ease of use? I dl’d my first torrent this week, the opening ceremony of the Olympics, but I couldn’t for the life of me figure out how to view it after it created a folder with 50+ files for me.
I tried VLC, MPC, WMP, and Miro – nothing worked. It was prolly just my green ass, but in the end, I just deleted the folder and screamed at myself for being too lazy to load the VCR that night before heading out to a 70’s party. And yea, I uninstalled utorrent too – although it prolly isn’t their fault…
I agree with Rarst… I don’t think one ought to be this suspicious about it.
As for myself, on private bittorent sites, they often ban clients (or client versions) which are deemed insecure or unreliable. Hence, yes, I have already upgraded to 1.8(11813)
I would if only I figured out how to upgrade on debian servers -.-. Well I’m getting a ubuntu or windows server next!! As for my laptop yes since the new features are free anyway (I don’t have it though).
>All users are requested to download μTorrent 1.8 Release Candidate 7, which has been patched to fix this problem.
There is final 1.8 release out, not much sense in downloading RC7. :)
>Would you upgrade to the newest version of μTorrent?
I upgrade to latest, they simplified RSS downloading (not perfect still… but big improvement) and some local trackers I visit mostly ban old versions of clients to escape mess with supporting them.
>I can almost bet that the new owners of utorrent have implanted a backdoor so they can easily monitor what you download and so on to better make a case against you in the future.
Yeah, sure and they are hiding truth about aliens as well. :)
I can almost bet that the new owners of utorrent have implanted a backdoor so they can easily monitor what you download and so on to better make a case against you in the future.