AfterDawn: Tech news

uTorrent and BitTorrent clients have 'highly critical' security hole

Written by Andre Yoskowitz (Google+) @ 13 Aug 2008 14:24 User comments (28)

uTorrent and BitTorrent clients have 'highly critical' security hole Secunia has issued two new ‘highly critical’ security alerts, one for uTorrent, version 1.7.7, build 8179 and the second for the official BitTorrent client, in version 6.xx.
“A vulnerability has been discovered in BitTorrent, which potentially can be exploited by malicious people to compromise a user’s system,” the alert says.

The vulnerability was originally discovered by Rhys Kidd and says it "is caused due to a boundary error in the processing of .torrent files. This can be exploited to cause a stack-based buffer overflow by tricking the user into opening a .torrent file containing an overly long ‘created by’ field”."

“Successful exploitation may allow execution of arbitrary code.”


The flaw is only confirmed in version 1.7.7 right now but may in fact affect earlier versions.

Secunia and uTorrent advise to upgrade to the latest beta, version 1.8.0 at least.

You can download 1.8 here at Afterdawn: uTorrent 1.8 latest beta

Previous Next  

28 user comments

113.8.2008 15:02

I use Azureus, thats safe right?

213.8.2008 15:27

screw u .torrent

313.8.2008 15:53
tavek
Inactive

are people that cheap to not buy giganews with ecryption protection, cmon. GIGANEWS FTW! NEWSGROUPS FOR ALL!

413.8.2008 16:46

Originally posted by tavek:
are people that cheap to not buy giganews with ecryption protection, cmon. GIGANEWS FTW! NEWSGROUPS FOR ALL!

I heard that Newsgroups don't as much stuff as torrents thats why i haven't made the switch....

513.8.2008 17:52

Originally posted by core2kid:
I use Azureus, thats safe right?
Yeah we should be good, it's made by different people though it's not impossible to have the same security hole.

613.8.2008 18:45

Well, a lot of trackers have banned version 1.8 and above for fear that it is sending data to MediaSentry and other companies. And, it's closed source so a lot of people cannot even analyse it and find out if it is true. Why not switch to something else? Azureus and Halite are great clients, both support encryption and ipfilter.dat.

713.8.2008 19:52

Quote:
I heard that Newsgroups don't as much stuff as torrents thats why i haven't made the switch....
Actually they have the same, but "stuff" seems to hit torrents before they hit newsgroups.

813.8.2008 22:34
varnull
Inactive

sheesh.. they only just found this out.. Dan posted about this hole 2 years ago ;) It's an old one, goes right back to bitcomet days.

913.8.2008 23:11

Originally posted by varnull:
sheesh.. they only just found this out.. Dan posted about this hole 2 years ago ;) It's an old one, goes right back to bitcomet days.
I knew there was something familiar about this. Though I think I first heard about it around 2-3 months ago.

By the way, sorry if this is an ignorant question, but what in the world is a newsgroup and does it work? Why does it cost money?
This message has been edited since its posting. Latest edit was made on 13 Aug 2008 @ 23:11


1013.8.2008 23:29

Originally posted by tatsh:
Well, a lot of trackers have banned version 1.8 and above for fear that it is sending data to MediaSentry and other companies. And, it's closed source so a lot of people cannot even analyse it and find out if it is true.
Is this really true ?
This message has been edited since its posting. Latest edit was made on 13 Aug 2008 @ 23:30

1114.8.2008 0:27

If you own a computer with a connection to the internet, you are open to be hacked or attacked. That's the bottom line. All the updates from MS, torrent files, P2P. No one is fully safe.

1214.8.2008 7:55

I got a Feeling the Riaa Got Something to o with this. whether its to scare us, or they found the exploit i dunno

1314.8.2008 8:18
susieqbbb
Inactive

i use other torrents utorrents are garbage and have always been garbage.

1414.8.2008 14:23

so are older bittorent files ok? or should i just download Azureus, now called Vuze? I just got a new comp so im tryin real hard not to screw it up at all

1516.8.2008 5:42

That's old news, just re-printed. Rhyskidd posted the discovery months ago on several security lists.

It's a THEORETICAL flaw. There is NO evidence of an exploit in the wild.

1.8 is no longer a beta.

1618.8.2008 9:30

No evidence of the exploit being used doesn't mean it hasn't or won't be used. Just means that you haven't yet seen it. Though anyone who knowingly uses flawed software knowing it has security holes almost deserves to be hacked..

1718.8.2008 9:43

trick1, Oh yeah!

I will be forwarding this thread to a bitcomit user who has stopped opening torrents with it because some of his jobs were downloading but nothing was happening. We both came to the same conclusion, drop Bit Comit and in the meantime kill the jobs that have gone wacky.

Anyone using a P2P ought to be watchful for things that don't add up.

1819.8.2008 10:06

Sorry to be an alarmist! The anomily is probably not part of a plot for hijacking your computer. The data does not appear to be going anywhere on my friends computer. After reading this artical, he freaked out and spent the night figuring out what was going on. He did a controled test on one of the anomilies. He could not find where the data was going. We can presume the blocks were being discarded and not used somewhere else.

It is safer to carefully check into things that do not add up than presume everything is safe.

1921.8.2008 3:56
mrk44
Inactive

Never liked utorrent....always had bad performance....now with this little security hole, it's even worse....glad I didn't use it.
I use BitTyrant...I know it's old, but it works better than anything I've used.

This message has been edited since its posting. Latest edit was made on 21 Aug 2008 @ 3:57

2021.8.2008 6:50

mrk44, what you you like about it? I have never heard of it.

2121.8.2008 15:33
mrk44
Inactive

Google it. It's a modification of the Azureus 2.5 source code. They say on average, there was a 70% increase in speed compared to Azureus 2.5.
Go to the homepage and read more: http://bittyrant.cs.washington.edu/


Cooler Master HAF 932 - Asus Maximus II Forumula - Intel Core 2 Quad Q9550 @ 4.00GHz - 2x2GB Corsair Dominator DDR2/8500 1066 Mhz - Corsair HX1000W PSU - Asus EAH5870 Graphics Card - Western Digital Velociraptor 300GB HDD - Western Digital Caviar Black 1TB WD1001FALS HDD - LG CH10LS20 Blu-ray Drive - Asus Xonar D2X Sound Card - Logitech X-540 5.1 Surround Speakers - Samsung P2370HD Monitor

2221.8.2008 15:43
varnull
Inactive

Sorry Mark, but that's bull.. the maximum speed you will ever get from a properly configured torrent client is your maximum line speed. You can't get 200mbps over a 10mbps cable.. simple as.

Rules of the game are changing.. the undernet is becoming stronger with more users every day. Investigations are ongoing into good darknet torrent sites and clients. TPB need to force encryption of packets through the tracker.. become more like a private tracker. I know they are getting more and more annoyed about the ip gathering spies wading through the swarms.

For now only use a torrent client which has peer blocks and encryption.. older exploited and compromised clients are no longer acceptable...

As for µtorrent.. how can anybody trust a closed source application which is owned and made by macrovision?

2321.8.2008 16:05
mrk44
Inactive

varnull: Well, actually I wasn't saying that you get higher speeds than your line speed, just better performance on certain torrents on which you don't achieve max speeds.... Anyway, what do you suggest for a good client?


Cooler Master HAF 932 - Asus Maximus II Forumula - Intel Core 2 Quad Q9550 @ 4.00GHz - 2x2GB Corsair Dominator DDR2/8500 1066 Mhz - Corsair HX1000W PSU - Asus EAH5870 Graphics Card - Western Digital Velociraptor 300GB HDD - Western Digital Caviar Black 1TB WD1001FALS HDD - LG CH10LS20 Blu-ray Drive - Asus Xonar D2X Sound Card - Logitech X-540 5.1 Surround Speakers - Samsung P2370HD Monitor

2421.8.2008 22:06

I personally use Vuze on Windows and Deluge on Linux. They're my two favourite's and very customizable. I might even switch to using Vuze on linux rather than Deluge if it interests me. Though I always get maximum speed on both clients. Deluge is just a little more simple.



2522.8.2008 12:08

Originally posted by mrk44:
varnull: Well, actually I wasn't saying that you get higher speeds than your line speed, just better performance on certain torrents on which you don't achieve max speeds.... Anyway, what do you suggest for a good client?
Yes I'm curious as to your recommendation as well. :) I used Azureus a couple of years ago and it seemed a bit hoggish at the time. :P

....gm

2622.8.2008 14:36
mrk44
Inactive

gm: You're right, I used Azureus for a while as well and wasn't happy because I was never getting the highest speeds that my line can get. So I went to look for another client, and found bittyrant. It's nickname is the "selfish bittorrent client". If you go to the homepage here, you can read more about the modifications they made to Azureus 2.5. The GUI is the same, but the performance is much better. I don't know how safe it is, but it has the same features as Azureus plus a little extra.


Cooler Master HAF 932 - Asus Maximus II Forumula - Intel Core 2 Quad Q9550 @ 4.00GHz - 2x2GB Corsair Dominator DDR2/8500 1066 Mhz - Corsair HX1000W PSU - Asus EAH5870 Graphics Card - Western Digital Velociraptor 300GB HDD - Western Digital Caviar Black 1TB WD1001FALS HDD - LG CH10LS20 Blu-ray Drive - Asus Xonar D2X Sound Card - Logitech X-540 5.1 Surround Speakers - Samsung P2370HD Monitor

2722.8.2008 14:41

thanks mrk44. :)

I'll give that a look see and go from there. ;)

varnull.. what's your opinion on a torrent client?? :D

.....gm


[img]quoted from creaky, "I think i need a break away from this thread, you are just talking absolute and utter nonsense now. Im off to ban myself and hit myself repeatedly with blunt objects. And if im still conscious after that im going to install Windows Me."[/img]
PC build thread blank media thread Ultimate DVD Backup resource thread what did binkie7 do to me???

2826.8.2008 9:29

Azureus is hoggish but it delivers. It uses more computer resources to push.

Just try it for your self. The new interface sucks.

I never heard of bittyrant. It sounds real good and probably has a more tollerable interface.

Comments have been disabled for this article.

News archive