Popular BitTorrent Client Quietly Patched An Old Zero-Day Vulnerability
Popular BitTorrent client µTorrent has silently patched a vulnerability that created a means for hackers to load malware onto PCs of file sharing users by persuading them to open a poisoned Torrent file. The vulnerability has been confirmed in version 1.7.7 of µTorrent. Earlier versions may also be vulnerable.
News of the bug emerged in a posting by Rhys Kidd to a security mailing list on Monday. He claimed that the flaw had been present as a zero-day vulnerability in the software for the last two years. The flaw is caused by a stack-based buffer overflow vulnerability and offered far more potential for damage than either salted (empty or impossible to play) files or media files that attempt to induce users to install fake codecs (often contaminated with malware) once users attempt to play downloaded content.
BitTorrent Mainline version six and beyond are also vulnerable because BitTorrent, Inc. makes use of µTorrent source code. The two software packages make up over 18.8 percent on the installed P2P client base, creating plenty of scope for mischief even though the bug would have been far from straightforward to misuse, since reliable exploitation is difficult although not impossible.
The new version of µTorrent, released earlier this month, fixes the flaw, even if release notes fail to mention this point. Version 1.8 RC7 of the software silently patched the flaw, according to security notification service Secunia, which advises users to update to version 1.8.0 of µTorrent. BitTorrent is also vulnerable but yet to deliver a patch, according to Secunia.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.