uTorrent Is Vulnerable to Security Bugs That Let Malicious Websites Control Your Computer
One of the most used BitTorrent apps, uTorrent, is vulnerable to security bugs that can enable attackers to take control of your machines and execute code. Multiple flaws have been reported affecting the uTorrent web and desktop client by a Google Project Zero security researcher.
Tavis Ormandy, who's become a regular name in the bug discovery world, revealed that one of the most widely used torrent app has some easy-to-exploit vulnerabilities that can be used to execute code and snoop on target's download history. The bugs impact both the new uTorrent Web, a new web-based version of the uTorrent BitTorrent client, and uTorrent Classic, the old client that most people know and use. Both of these clients are exposing RPC server on port 10000 (uTorrent Classic) and 19575 (uTorrent Web).
To be clear, visiting *any* website is enough to compromise these applications.
He noted that the uTorrent web is the worst affected where attackers can download malware on target computer and change the default download folder location to something like the startup folder to make sure the malicious file is loaded the next time system boots up.
BitTorrent failed to fix uTorrent bugs even after 90 days
The bugs were first disclosed to the company on November 27 and made public after the 90-days disclosure deadline. BitTorrent, the developer of the uTorrent apps, claims that the bugs have now been fixed in a beta release of the uTorrent Windows desktop app. If you are unable to install the latest version, it is advised that you stop using uTorrent Windows desktop app and uTorrent Web since there is no mitigation advice available. The fixed versions include: