On Feb 1, 2016 we were informed about a DLL planting vulnerability in uTorrent/BitTorrent by the team behind The Zero Day Initiative. All versions of uTorrent prior to 22.214.171.124330 and BitTorrent 126.96.36.199331 are affected.
Older versions of uTorrent/BitTorrent would “pin” netprofm.dll at startup in an attempt to mitigate a (an old) crash due to premature DLL unloading. The “pinning” mechanism employed had the undesirable effect of allowing a local attacker to execute code during uTorrent/BitTorrent’s startup by dropping (or “planting”) a specially crafted DLL in the program’s working directory (or current directory at time of application launch).
This explicit DLL load combined with the WebUI’s ability to download files to uTorrent/BitTorrent’s working directory, could have allowed an attacker to execute arbitrary code by instructing uTorrent/BitTorrent to download cleverly crafted .torrent through the WebUI.
To mitigate the vulnerability, the latest versions of uTorrent/BitTorrent:
– Will not pin netprofm.dll at startup. The DLL is loaded when required as any other DLL.
– Will not allow the WebUI to download files to uTorrent/BitTorrent’s working directory.
To stay up to date with upcoming changes in the next stable build follow our beta changelog here.
Thank you to The Zero Day Initiative for responsibly reporting this vulnerability.
– uTorrent/BitTorrent Team