uTorrent file-swappers urged to upgrade after PC hijack flaws fixed

Users of uTorrent should grab the latest versions of the popular torrenting tools: serious security bugs, which malicious websites can exploit to commandeer PCs, were squashed this week in the software.

If you're running a vulnerable Windows build of the pira, er, file-sharing applications while browsing the web, devious JavaScript code on an evil site can connect to your uTorrent app and leverage it to potentially rifle through your downloaded files or run malware.

The flaws were found by Googler Tavis Ormandy: he spotted and reported the vulnerabilities in BitTorrent's uTorrent Classic and uTorrent Web apps in early December. This month, BitTorrent began emitting new versions of these products for people to install by hand or via the built-in update mechanism. These corrected builds were offered first as beta releases, and in the coming days will be issued as official updates, we're told.

Look out for version 3.5.3.44352 or higher of the desktop flavor, or version 0.12.0.502 and higher of the Spotify-styled Web build.

The latest classic desktop app looks to be secured. However, Ormandy was skeptical the uTorrent Web client had been fully fixed, believing the software to still be vulnerable to attack. On Wednesday this week, he went public with his findings since he had, by this point, given BitTorrent three months to address their coding cockup.

"The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway," Ormandy wrote in his advisory.

"I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch. We've done all we can to give BitTorrent adequate time, information and feedback, and the issue remains unsolved."

BitTorrent told The Register the flaws should all be resolved this week, including the Web app Ormandy was concerned about.

"All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user’s consent (e.g. adding a torrent)," said Dave Rees, BitTorrent's veep of engineering, late on Tuesday.

The security weaknesses are a result of uTorrent Classic creating an HTTP RPC server on port 10000 or 19575 for the uTorrent Web version. A malicious webpage, or anything else running on the PC, could perform a DNS rebinding attack to inject commands into the torrenting apps.

Pre-patch, the desktop app could be abused to allow "any website you visit [to] read and copy every torrent you've downloaded," according to Ormandy. The flaws were more serious in the Web app: the code could be attacked to download an arbitrary .exe into the operating system's startup folder, effectively ensuring malware runs during the next boot up. ®