Archives For

HTTP/RPC Security Vulnerabilities Resolved in uTorrent, BitTorrent and uTorrent Web

David Rees —  February 22, 2018 — 8 Comments

A fix for multiple vulnerabilities affecting all uTorrent, BitTorrent and uTorrent Web Windows users is now available for immediate download at the links below. We must stress that while this is a vulnerability that can be exploited to trigger unauthorized downloads to take place, BitTorrent Inc. is not aware of any incidents related to these vulnerabilities. As always, we highly encourage all of our customers to stay up to date. Android and Mac users are not affected by the reported vulnerabilities.

Download the latest builds:

uTorrent Stable 3.5.3.44358
Bittorrent Stable 7.10.3.44359
uTorrent Beta 3.5.3.44352
uTorrent Web 0.12.0.502

The team began rolling out the update to beta uTorrent Windows users via the auto update mechanism on Feb 16, 2018. As of today, Feb 22, 2018, the rollout for beta users has concluded and the stable rollout has started. Included in the latest builds are fixes to the way uTorrent and uTorrent Web authenticate WebUI requests and generate session and authentication tokens. In addition to this, the updates clamp down on guest account access limits and enforce more checks on potentially malicious HTTP headers sent to the client.

Customers and developers of 3rd-party applications that rely on the default-open state of port 10000 should be aware that moving forward, clients will no longer be discoverable over port 10000. Pairing negotiation is now only allowed over a mutually agreed upon port. Customers can set this port manually by enabling WebUI functionality via Advanced->WebUI-> Enable Web UI and then specifying a port under the Connectivity section.

WebUISettings

You can find the full changelog here:

uTorrent 3.5.3 For Windows (build 44358)

In Engineering, Uncategorized, µTorrent
permalink

A Word on the OS X Malware Attack

David Rees —  March 11, 2016 — Leave a comment

In our connected world, no one is safe from malware. All types of software are constantly under attack, making security a major issue for software developers everywhere, every day.

This week, the first ransomware on Mac was discovered in a release by the Transmission team. It’s understandable that this has made news, particularly given that this is the first direct malware attack to impact OS X users.

On behalf of our friends at Transmission, we would urge understanding and ask users to look at their body of work when judging them and not a single incident which they quickly and decisively handled.

By many accounts, this vulnerability for OS X has existed for some time. Every company, every website, is prone to vulnerabilities. There is no software vendor out there that has not done its fair share of firefighting. It is a credit to all the teams that can flag and address an issue quickly before it reaches consumers becomes widespread.

It was unfortunate that Transmission was the vector of this first attack, but kudos to the team for reacting quickly to release a fixed version that removes the malicious code. The issue was discovered on March 4th and addressed the next day. Having gone through a few of these fire drills myself, I understand what kind of effort it takes to react that quickly to an issue.  If you are reading this and you use Transmission, please download their latest version to remove the malware.

What is also important to note, and many news outlets have reported this correctly, is that the attack was not on the BitTorrent protocol nor on Transmission’s client. The attack does not affect other BitTorrent clients, nor does it affect the files you download via BitTorrent. This attack was directed at OS X itself via a packaged file within the installer tool used to download Transmission. Palo Alto Networks describes it here:

Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When we identified the issue, the infected DMG files were still available for downloading from the Transmission site (hxxps://download.transmissionbt.com/files/Transmission-2.90[.]dmg) Transmission is an open source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.

As developers of software used by millions of people, we have to be ever vigilant.  All of us take security seriously and try very hard to thwart attacks of any variety.  So once again, hats off to the Transmission team for dealing with this threat quickly.

In Uncategorized
permalink