BitTorrent patches security holes in uTorrent to prevent malware distribution

In November 2017, some security-related bugs were identified in uTorrent, one of the most popular and widely used torrent client. The zero day vulnerabilities were identified by Google Project Zero researcher Tavis Ormandy and reported to BitTorrent, but no response was received. BitTorren was give 90 days to fix the vulnerabilities.

In late January, Ormandy tweeted Bram Cohen, the founder of the company, on Twitter to encourage the company to take action towards solving the issues. Even though the company patched the vulnerabilities in the recent beta version of the uTorrent desktop application, the concern whether the path really fixes the security holes prevails.

The uTorrent software, also known as µTorrent, is a lightweight client enabling users to quickly download software. The software is appreciated because of its limited use of the system's recourses, but also criticized for heavy advertising, generating millions of ad impressions and making the platform attractive to advertisers. Some people may consider torrents illegal, which, in fact, has to do with the copyright of the content spread. If the use and handling of the file is not restricted by any copyright law, then using torrents is absolutely legal. If, however, the holder of the file does not have permission to share the content possessed, then downloading the file is illegal.

The discovery of the security vulnerabilities in uTorrent has shown that visiting a malicious website with the uTorrent running on the PC could result in serious security issues. These security flaws enables hackers to infect the PC, steal data, and view download history. To compromise systems using uTorrentWeb, some DNS rebinding would be enough to carry out a remote attack. As a result, a hacker could set a new download directory and send malware to the compromised device.

The uTorrent desktop app would enable attackers to enumerate and copy files downloaded to the device. This could be achieved by employing a brute force attack technique. Other security issues were also detected and privately disclosed to the developers before unveiling the vulnerabilities to the public.

Reportedly, the updated version is going to be installed automatically in the near future, but it is also possible to manually install the patched version. Vice president of engineering at BitTorrent Dave Rees reported that a separate version updating the uTorrent web client was also released, and advised uTorrent Web customers to download the latest update available at web.uttorent.com or through in-app update notification. More specifically, BitTorrent's clients should update their desktop apps to version uTorrent Classic Version 3.5.3.44352 (released on February 16, 2018), whereas web-based clients should be replaced with version 0.12.0.502.

However, another issue concerning the reliability of the fix was raised by Ormandy's statement that BitTorrent only moved the vulnerabilities to a different location, suggesting that uTorrent may still be at risk.

References
Barth, Bradley.uTorrent apps vulnerable to remove code execution, information displosure. SC Media.
Ellis, Cat. uTorrent vulnerabilities leave users at risk of hacking and snooping. Techradar.
Jones, Michelle. uTorrent users struck by security bugs. ValueWalk.
Marshall, Carrier.The best free torrent client 2018: faster, more secure downloads. Techrad.
Wilson, Mathew.uTorrent users urged to update as Google reveals. Kitguru.