Mobile/PDA About Us Advertise here


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.

Browse by topic

News

uTorrent and BitTorrent clients have 'highly critical' security hole

13 August 2008 14:24 by Andre "DVDBack23" Yoskowitz | 28 comments

Secunia has issued two new �highly critical� security alerts, one for uTorrent, version 1.7.7, build 8179 and the second for the official BitTorrent client, in version 6.xx.

�A vulnerability has been discovered in BitTorrent, which potentially can be exploited by malicious people to compromise a user�s system,� the alert says.

The vulnerability was originally discovered by Rhys Kidd and says it "is caused due to a boundary error in the processing of .torrent files. This can be exploited to cause a stack-based buffer overflow by tricking the user into opening a .torrent file containing an overly long �created by� field�."

�Successful exploitation may allow execution of arbitrary code.�

The flaw is only confirmed in version 1.7.7 right now but may in fact affect earlier versions.

Secunia and uTorrent advise to upgrade to the latest beta, version 1.8.0 at least.

You can download 1.8 here at Afterdawn: uTorrent 1.8 latest beta

Permalink to this article

uTorrent remains top BitTorrent client (15 August 2009)

uTorrent 2.0 beta released (8 August 2009)

German file-sharers now have less to worry about (15 August 2008)

Finnish file-sharer settles case of copyright infringement (13 August 2008)

TorrentPrivacy secures your BitTorrent traffic (12 August 2008)

YouTorrent shifts policy and goes up for sale (14 April 2008)

BitTorrent site traffic sees impressive growth (22 March 2008)

Guides Updated (29 February 2008)

uTorrent re-released as BitTorrent 6.0 (29 July 2007)

« Previous news article
UK government to increase online copyright penalties

Next news article »
Finnish file-sharer settles case of copyright infringement

Post your comment

Discuss this article!	There are more user comments available, read them here
tavek (Member) 13 August 2008 15:53
are people that cheap to not buy giganews with ecryption protection, cmon. GIGANEWS FTW! NEWSGROUPS FOR ALL! [ + quote]
NexGen76 (Member) 13 August 2008 16:46
*Originally posted by tavek:* are people that cheap to not buy giganews with ecryption protection, cmon. GIGANEWS FTW! NEWSGROUPS FOR ALL! I heard that Newsgroups don't as much stuff as torrents thats why i haven't made the switch.... [ + quote]
canuckerz (Senior Member) 13 August 2008 17:52
*Originally posted by core2kid:* I use Azureus, thats safe right? Yeah we should be good, it's made by different people though it's not impossible to have the same security hole. [ + quote]
tatsh (Junior Member) 13 August 2008 18:45
Well, a lot of trackers have banned version 1.8 and above for fear that it is sending data to MediaSentry and other companies. And, it's closed source so a lot of people cannot even analyse it and find out if it is true. Why not switch to something else? Azureus and Halite are great clients, both support encryption and ipfilter.dat. [ + quote]
geestar20 (AfterDawn Addict) 13 August 2008 19:52
*Quote:* I heard that Newsgroups don't as much stuff as torrents thats why i haven't made the switch.... Actually they have the same, but "stuff" seems to hit torrents before they hit newsgroups. [ + quote]
varnull (Inactive) 13 August 2008 22:34
sheesh.. they only just found this out.. Dan posted about this hole 2 years ago ;) It's an old one, goes right back to bitcomet days. Free open source software = made by end users who want an application to work. An engineer with a single tool in his toolbox is an idiot, not an engineer [ + quote]
rvinkebob (Member) 13 August 2008 23:11
*Originally posted by varnull:* sheesh.. they only just found this out.. Dan posted about this hole 2 years ago ;) It's an old one, goes right back to bitcomet days. I knew there was something familiar about this. Though I think I first heard about it around 2-3 months ago. By the way, sorry if this is an ignorant question, but what in the world is a newsgroup and does it work? Why does it cost money? [ + quote] This message has been edited since posting. Last time this message was edited on 13 August 2008 23:11
ydkjman (Member) 13 August 2008 23:29
*Originally posted by tatsh:* Well, a lot of trackers have banned version 1.8 and above for fear that it is sending data to MediaSentry and other companies. And, it's closed source so a lot of people cannot even analyse it and find out if it is true. Is this really true ? [ + quote] This message has been edited since posting. Last time this message was edited on 13 August 2008 23:30
EricCarr (Member) 14 August 2008 0:27
If you own a computer with a connection to the internet, you are open to be hacked or attacked. That's the bottom line. All the updates from MS, torrent files, P2P. No one is fully safe. [ + quote]
mododaz (Junior Member) 14 August 2008 7:55
I got a Feeling the Riaa Got Something to o with this. whether its to scare us, or they found the exploit i dunno [ + quote]
susieqbbb (Inactive) 14 August 2008 8:18
i use other torrents utorrents are garbage and have always been garbage. [ + quote]
dukeidude (Member) 14 August 2008 14:23
so are older bittorent files ok? or should i just download Azureus, now called Vuze? I just got a new comp so im tryin real hard not to screw it up at all [ + quote]
trick1 (Newbie) 16 August 2008 5:42
That's old news, just re-printed. Rhyskidd posted the discovery months ago on several security lists. It's a THEORETICAL flaw. There is NO evidence of an exploit in the wild. 1.8 is no longer a beta. [ + quote]
chrissd (Newbie) 18 August 2008 9:30
No evidence of the exploit being used doesn't mean it hasn't or won't be used. Just means that you haven't yet seen it. Though anyone who knowingly uses flawed software knowing it has security holes almost deserves to be hacked.. [ + quote]
Mez (Senior Member) 18 August 2008 9:43
trick1, Oh yeah! I will be forwarding this thread to a bitcomit user who has stopped opening torrents with it because some of his jobs were downloading but nothing was happening. We both came to the same conclusion, drop Bit Comit and in the meantime kill the jobs that have gone wacky. Anyone using a P2P ought to be watchful for things that don't add up. [ + quote]
Mez (Senior Member) 19 August 2008 10:06
Sorry to be an alarmist! The anomily is probably not part of a plot for hijacking your computer. The data does not appear to be going anywhere on my friends computer. After reading this artical, he freaked out and spent the night figuring out what was going on. He did a controled test on one of the anomilies. He could not find where the data was going. We can presume the blocks were being discarded and not used somewhere else. It is safer to carefully check into things that do not add up than presume everything is safe. [ + quote]
mrk44 (Member) 21 August 2008 3:56
Never liked utorrent....always had bad performance....now with this little security hole, it's even worse....glad I didn't use it. I use BitTyrant...I know it's old, but it works better than anything I've used. [ + quote] This message has been edited since posting. Last time this message was edited on 21 August 2008 3:57
Mez (Senior Member) 21 August 2008 6:50
mrk44, what you you like about it? I have never heard of it. [ + quote]
mrk44 (Member) 21 August 2008 15:33
Google it. It's a modification of the Azureus 2.5 source code. They say on average, there was a 70% increase in speed compared to Azureus 2.5. Go to the homepage and read more: http://bittyrant.cs.washington.edu/ NZXT Lexa Blackline - Gigabyte GA-X48-DS4 - Intel Core 2 Quad Q9450 OCed to 3 GHz - Thermalright Ultra-120 Extreme w/ Scythe SFF21F - 2x1GB Corsair Dominator DDR2/8500 1066 Mhz - Corsair TX650W PSU - "nVidia Prototype" 8800GTS 512MB GDDR3 - Seagate Barracuda 750GB SATAII HDD - Sony NEC Optiarc AD-7200S - HP w2207 22" Widescreen Monitor [ + quote]
varnull (Inactive) 21 August 2008 15:43
Sorry Mark, but that's bull.. the maximum speed you will ever get from a properly configured torrent client is your maximum line speed. You can't get 200mbps over a 10mbps cable.. simple as. Rules of the game are changing.. the undernet is becoming stronger with more users every day. Investigations are ongoing into good darknet torrent sites and clients. TPB need to force encryption of packets through the tracker.. become more like a private tracker. I know they are getting more and more annoyed about the ip gathering spies wading through the swarms. For now only use a torrent client which has peer blocks and encryption.. older exploited and compromised clients are no longer acceptable... As for �torrent.. how can anybody trust a closed source application which is owned and made by macrovision? Free open source software = made by end users who want an application to work. An engineer with a single tool in his toolbox is an idiot, not an engineer [ + quote]
mrk44 (Member) 21 August 2008 16:05
varnull: Well, actually I wasn't saying that you get higher speeds than your line speed, just better performance on certain torrents on which you don't achieve max speeds.... Anyway, what do you suggest for a good client? NZXT Lexa Blackline - Gigabyte GA-X48-DS4 - Intel Core 2 Quad Q9450 OCed to 3 GHz - Thermalright Ultra-120 Extreme w/ Scythe SFF21F - 2x1GB Corsair Dominator DDR2/8500 1066 Mhz - Corsair TX650W PSU - "nVidia Prototype" 8800GTS 512MB GDDR3 - Seagate Barracuda 750GB SATAII HDD - Sony NEC Optiarc AD-7200S - HP w2207 22" Widescreen Monitor [ + quote]
rvinkebob (Member) 21 August 2008 22:06
I personally use Vuze on Windows and Deluge on Linux. They're my two favourite's and very customizable. I might even switch to using Vuze on linux rather than Deluge if it interests me. Though I always get maximum speed on both clients. Deluge is just a little more simple. [ + quote]
greensman (AfterDawn Addict) 22 August 2008 12:08
*Originally posted by mrk44:* varnull: Well, actually I wasn't saying that you get higher speeds than your line speed, just better performance on certain torrents on which you don't achieve max speeds.... Anyway, what do you suggest for a good client? Yes I'm curious as to your recommendation as well. :) I used Azureus a couple of years ago and it seemed a bit hoggish at the time. :P ....gm [ + quote]
mrk44 (Member) 22 August 2008 14:36
gm: You're right, I used Azureus for a while as well and wasn't happy because I was never getting the highest speeds that my line can get. So I went to look for another client, and found bittyrant. It's nickname is the "selfish bittorrent client". If you go to the homepage here, you can read more about the modifications they made to Azureus 2.5. The GUI is the same, but the performance is much better. I don't know how safe it is, but it has the same features as Azureus plus a little extra. NZXT Lexa Blackline - Gigabyte GA-X48-DS4 - Intel Core 2 Quad Q9450 OCed to 3 GHz - Thermalright Ultra-120 Extreme w/ Scythe SFF21F - 2x1GB Corsair Dominator DDR2/8500 1066 Mhz - Corsair TX650W PSU - "nVidia Prototype" 8800GTS 512MB GDDR3 - Seagate Barracuda 750GB SATAII HDD - Sony NEC Optiarc AD-7200S - HP w2207 22" Widescreen Monitor [ + quote]
greensman (AfterDawn Addict) 22 August 2008 14:41
thanks mrk44. :) I'll give that a look see and go from there. ;) varnull.. what's your opinion on a torrent client?? :D .....gm [img]nothing right now!!![/img] PC build thread blank media thread Ultimate DVD Backup resource thread what did binkie7 do to me??? [ + quote]
Mez (Senior Member) 26 August 2008 9:29
Azureus is hoggish but it delivers. It uses more computer resources to push. Just try it for your self. The new interface sucks. I never heard of bittyrant. It sounds real good and probably has a more tollerable interface. [ + quote]