Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 14th, 2008

Popular BitTorrent Client Quietly Patched An Old Zero-Day Vulnerability

Popular BitTorrent client µTorrent has silently patched a vulnerability that created a means for hackers to load malware onto PCs of file sharing users by persuading them to open a poisoned Torrent file. The vulnerability has been confirmed in version 1.7.7 of µTorrent. Earlier versions may also be vulnerable.

News of the bug emerged in a posting by Rhys Kidd to a security mailing list on Monday. He claimed that the flaw had been present as a zero-day vulnerability in the software for the last two years. The flaw is caused by a stack-based buffer overflow vulnerability and offered far more potential for damage than either salted (empty or impossible to play) files or media files that attempt to induce users to install fake codecs (often contaminated with malware) once users attempt to play downloaded content.

BitTorrent Mainline version six and beyond are also vulnerable because BitTorrent, Inc. makes use of µTorrent source code. The two software packages make up over 18.8 percent on the installed P2P client base, creating plenty of scope for mischief even though the bug would have been far from straightforward to misuse, since reliable exploitation is difficult although not impossible.

The new version of µTorrent, released earlier this month, fixes the flaw, even if release notes fail to mention this point. Version 1.8 RC7 of the software silently patched the flaw, according to security notification service Secunia, which advises users to update to version 1.8.0 of µTorrent. BitTorrent is also vulnerable but yet to deliver a patch, according to Secunia.

Share this item with others:

More on CyberInsecure:
  • Critical Flaws Patched In Opera 9.61, New Zero-day Vulnerability Remains Unpatched
  • Malware Torrent Delivered Over Google, Yahoo! Ad Services
  • Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild
  • Critical 0-day Vulnerability In Internet Explorer 6 And 7, Exploit Already Published
  • Internet Explorer 0-day Malware Infects Amnesty International Hong Kong Website Visitors

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Popular BitTorrent Client Quietly Patched An Old Zero-Day Vulnerability

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word