uTorrent and BitTorrent clients have 'highly critical' security hole

Secunia has issued two new �highly critical� security alerts, one for uTorrent, version 1.7.7, build 8179 and the second for the official BitTorrent client, in version 6.xx.

�A vulnerability has been discovered in BitTorrent, which potentially can be exploited by malicious people to compromise a user�s system,� the alert says.

The vulnerability was originally discovered by Rhys Kidd and says it "is caused due to a boundary error in the processing of .torrent files. This can be exploited to cause a stack-based buffer overflow by tricking the user into opening a .torrent file containing an overly long �created by� field�."

�Successful exploitation may allow execution of arbitrary code.�

The flaw is only confirmed in version 1.7.7 right now but may in fact affect earlier versions.

Secunia and uTorrent advise to upgrade to the latest beta, version 1.8.0 at least.

You can download 1.8 here at Afterdawn: uTorrent 1.8 latest beta

Written by: Andre Yoskowitz @ 13 Aug 2008 14:24

Advertisement - News comments available below the ad

28 comments

core2kid

I use Azureus, thats safe right?

13.8.2008 15:02 #1

lxfactor

screw u .torrent

13.8.2008 15:27 #2

tavek

are people that cheap to not buy giganews with ecryption protection, cmon. GIGANEWS FTW! NEWSGROUPS FOR ALL!

13.8.2008 15:53 #3

NexGen76

Originally posted by tavek: are people that cheap to not buy giganews with ecryption protection, cmon. GIGANEWS FTW! NEWSGROUPS FOR ALL!
I heard that Newsgroups don't as much stuff as torrents thats why i haven't made the switch....

13.8.2008 16:46 #4

canuckerz

Originally posted by core2kid: I use Azureus, thats safe right?Yeah we should be good, it's made by different people though it's not impossible to have the same security hole.

13.8.2008 17:52 #5

tatsh

Well, a lot of trackers have banned version 1.8 and above for fear that it is sending data to MediaSentry and other companies. And, it's closed source so a lot of people cannot even analyse it and find out if it is true. Why not switch to something else? Azureus and Halite are great clients, both support encryption and ipfilter.dat.

13.8.2008 18:45 #6

geestar20

Quote:I heard that Newsgroups don't as much stuff as torrents thats why i haven't made the switch....Actually they have the same, but "stuff" seems to hit torrents before they hit newsgroups.

13.8.2008 19:52 #7

varnull

sheesh.. they only just found this out.. Dan posted about this hole 2 years ago ;) It's an old one, goes right back to bitcomet days.

Free open source software = made by end users who want an application to work. An engineer with a single tool in his toolbox is an idiot, not an engineer

13.8.2008 22:34 #8

rvinkebob

Originally posted by varnull: sheesh.. they only just found this out.. Dan posted about this hole 2 years ago ;) It's an old one, goes right back to bitcomet days.I knew there was something familiar about this. Though I think I first heard about it around 2-3 months ago.

By the way, sorry if this is an ignorant question, but what in the world is a newsgroup and does it work? Why does it cost money?

13.8.2008 23:11 #9

ydkjman

Originally posted by tatsh: Well, a lot of trackers have banned version 1.8 and above for fear that it is sending data to MediaSentry and other companies. And, it's closed source so a lot of people cannot even analyse it and find out if it is true. Is this really true ?

13.8.2008 23:29 #10

EricCarr

If you own a computer with a connection to the internet, you are open to be hacked or attacked. That's the bottom line. All the updates from MS, torrent files, P2P. No one is fully safe.

14.8.2008 00:27 #11

mododaz

I got a Feeling the Riaa Got Something to o with this. whether its to scare us, or they found the exploit i dunno

14.8.2008 07:55 #12

susieqbbb

i use other torrents utorrents are garbage and have always been garbage.

14.8.2008 08:18 #13

dukeidude

so are older bittorent files ok? or should i just download Azureus, now called Vuze? I just got a new comp so im tryin real hard not to screw it up at all

14.8.2008 14:23 #14

trick1

That's old news, just re-printed. Rhyskidd posted the discovery months ago on several security lists.

It's a THEORETICAL flaw. There is NO evidence of an exploit in the wild.

1.8 is no longer a beta.

16.8.2008 05:42 #15

chrissd

No evidence of the exploit being used doesn't mean it hasn't or won't be used. Just means that you haven't yet seen it. Though anyone who knowingly uses flawed software knowing it has security holes almost deserves to be hacked..

18.8.2008 09:30 #16

Mez

trick1, Oh yeah!

I will be forwarding this thread to a bitcomit user who has stopped opening torrents with it because some of his jobs were downloading but nothing was happening. We both came to the same conclusion, drop Bit Comit and in the meantime kill the jobs that have gone wacky.

Anyone using a P2P ought to be watchful for things that don't add up.

18.8.2008 09:43 #17

Mez

Sorry to be an alarmist! The anomily is probably not part of a plot for hijacking your computer. The data does not appear to be going anywhere on my friends computer. After reading this artical, he freaked out and spent the night figuring out what was going on. He did a controled test on one of the anomilies. He could not find where the data was going. We can presume the blocks were being discarded and not used somewhere else.

It is safer to carefully check into things that do not add up than presume everything is safe.

19.8.2008 10:06 #18

mrk44

Never liked utorrent....always had bad performance....now with this little security hole, it's even worse....glad I didn't use it.
I use BitTyrant...I know it's old, but it works better than anything I've used.

21.8.2008 03:56 #19

Mez

mrk44, what you you like about it? I have never heard of it.

21.8.2008 06:50 #20

mrk44

Google it. It's a modification of the Azureus 2.5 source code. They say on average, there was a 70% increase in speed compared to Azureus 2.5.
Go to the homepage and read more: http://bittyrant.cs.washington.edu/

NZXT Lexa Blackline - Gigabyte GA-X48-DS4 - Intel Core 2 Quad Q9450 OCed to 3 GHz - Thermalright Ultra-120 Extreme w/ Scythe SFF21F - 2x1GB Corsair Dominator DDR2/8500 1066 Mhz - Corsair TX650W PSU - "nVidia Prototype" 8800GTS 512MB GDDR3 - Seagate Barracuda 750GB SATAII HDD - Sony NEC Optiarc AD-7200S - HP w2207 22" Widescreen Monitor

21.8.2008 15:33 #21

varnull

Sorry Mark, but that's bull.. the maximum speed you will ever get from a properly configured torrent client is your maximum line speed. You can't get 200mbps over a 10mbps cable.. simple as.

Rules of the game are changing.. the undernet is becoming stronger with more users every day. Investigations are ongoing into good darknet torrent sites and clients. TPB need to force encryption of packets through the tracker.. become more like a private tracker. I know they are getting more and more annoyed about the ip gathering spies wading through the swarms.

For now only use a torrent client which has peer blocks and encryption.. older exploited and compromised clients are no longer acceptable...

As for �torrent.. how can anybody trust a closed source application which is owned and made by macrovision?

Free open source software = made by end users who want an application to work. An engineer with a single tool in his toolbox is an idiot, not an engineer

21.8.2008 15:43 #22

mrk44

varnull: Well, actually I wasn't saying that you get higher speeds than your line speed, just better performance on certain torrents on which you don't achieve max speeds.... Anyway, what do you suggest for a good client?

21.8.2008 16:05 #23

rvinkebob

I personally use Vuze on Windows and Deluge on Linux. They're my two favourite's and very customizable. I might even switch to using Vuze on linux rather than Deluge if it interests me. Though I always get maximum speed on both clients. Deluge is just a little more simple.

21.8.2008 22:06 #24

greensman

Originally posted by mrk44: varnull: Well, actually I wasn't saying that you get higher speeds than your line speed, just better performance on certain torrents on which you don't achieve max speeds.... Anyway, what do you suggest for a good client?Yes I'm curious as to your recommendation as well. :) I used Azureus a couple of years ago and it seemed a bit hoggish at the time. :P

....gm

22.8.2008 12:08 #25

mrk44

gm: You're right, I used Azureus for a while as well and wasn't happy because I was never getting the highest speeds that my line can get. So I went to look for another client, and found bittyrant. It's nickname is the "selfish bittorrent client". If you go to the homepage here, you can read more about the modifications they made to Azureus 2.5. The GUI is the same, but the performance is much better. I don't know how safe it is, but it has the same features as Azureus plus a little extra.

22.8.2008 14:36 #26

greensman

thanks mrk44. :)

I'll give that a look see and go from there. ;)

varnull.. what's your opinion on a torrent client?? :D

.....gm

[img]nothing right now!!![/img]
PC build thread blank media thread Ultimate DVD Backup resource thread what did binkie7 do to me???

22.8.2008 14:41 #27

Mez

Azureus is hoggish but it delivers. It uses more computer resources to push.

Just try it for your self. The new interface sucks.

I never heard of bittyrant. It sounds real good and probably has a more tollerable interface.

26.8.2008 09:29 #28

AfterDawn: News