BitTorrent official uTorrent client has a security vulnerability
BitTorrent’s official client, uTorrent, has a security vulnerability involving its web client that allows attackers to take control of the application. The issue was reported by Google Project Zero researcher Tavis Ormandy. As per Project Zero’s policies, Ormandy gave BitTorrent 90 days to respond to his report.
BitTorrent sent Ormandy a beta build of uTorrent Classic which appeared to fix the issue, although he cautioned there may still be security flaws. “I think there is still a lot of unnecessary remote attack surface, but I don’t have any way to break the new build right now,” he said. BitTorrent then rolled out a patch for the beta version of uTorrent and announced the security problems were fixed.
However, earlier today Ormandy revealed that BitTorrent had moved the vulnerability to a different location.
“The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway.
I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch,” he said.
- ^ reported by (bugs.chromium.org)
- ^ BitTorrent to focus on uTorrent and Mainline client (mybroadband.co.za)