TorrentFreak

The place where breaking news, BitTorrent and copyright collide

Critical Vulnerability Discovered in uTorrent

A vulnerability described as ‘critical’ has been discovered in versions of uTorrent and the official BitTorrent client. The ‘buffer overflow’ vulnerability can be exploited to compromise a user’s computer for the execution of arbitrary code. It is suggested that users should immediately update to uTorrent version 1.8 RC7 or higher. There is currently no fix for the official client.

utorrentSecunia has issued two urgent security alerts, one for uTorrent and the other for the mainline BitTorrent client. Both clients are being developed by BitTorrent Inc.

The vulnerability was found in uTorrent and can be maliciously exploited to compromise a user’s computer, however, it also affects the mainline BitTorrent client, since it’s based on the uTorrent code.

According to Secunia, “the vulnerability is caused due to a boundary error in the processing of .torrent files. This can be exploited to cause a stack-based buffer overflow by tricking the user into opening a .torrent file containing an overly long ‘created by’ field”.

A successful execution of the exploit would allow the attacker to run arbitrary code on the victim’s machine.

The vulnerability exists in uTorrent version 1.7.7 (Build 8179) and may well affect earlier versions too, although this isn’t yet confirmed. The flaw is also present in the official BitTorrent client, versions 6.xx.

The solution for uTorrent users is to immediately upgrade to version 1.8. Currently there is no solution for those using the mainline client. However, an update will be available soon, TorrentFreak was told. For now, caution is advised when using unverified torrents.

Related Posts

Previous Post | Next Post

  • Anonymous

    hmz ppl dont want to upgrade so the come up with crap like this lol

  • blah

    what did i tell you noobs about it….
    jesus people you htink that the hacker that posted the 1st exploit only had one?
    haha and notice the timing on this….
    there are several vulnerabilities in it.
    Anything made by corporations has not the love and care and anyhting not open sourced will have the problem for a long time before they admit they can’t solve it.

  • http://www.eZee.se www.eZee.se

    Am still on an older version as i dont upgrade immd for any software unless it has a critical update… would appreciate it if you update this article about how it affects older versions as and when the info is available…

  • blah

    oh the above can only be done IF YOU GOTO TORRENT SITES NOT KNOWN TO YOU.
    THIS MEANS THAT IF YOU WANDER TORRENT SITES YOUR AS MUCH A FOOL AS YOU CAN BE.
    boundary errors won’t happen at private sites unless the uploader is a real slick bad dude in witch case when evidence mounts that upper would be kicked and banned……
    thats how the community works to get rid a wankers.

  • blah

    also doesnt seem version 1.6.1 or 1.6 is affected, odd that ludde versions are ok

  • enter8

    Not that odd considering Ludde actually knows how to write software.

  • Anonymous

    uTorrent fail fail and fail again. You would think they would verify their inputs once in a while. How many clients have they rolled out with open attack vectors. I have lost count. Fuck you all *goes off to find the attack code*

  • Bob Dole

    @2

    Don’t pretend you’re a linux and open source fanboy…

    Open source programs have the same issues… mind you the major ubuntu update required SSH to have blacklists and major security patches on keys?

    Stop making us real linux users look like elitist’s, you jackass.

  • Rodalpho

    Older versions are affected too, the original advisory says every version of uTorrent for the past 2 years has the vulnerability. Basically just install 1.8 right now.

  • Steeley

    “Open source programs have the same issues… mind you the major ubuntu update required SSH to have blacklists and major security patches on keys?”

    In fairness, that was all Debian-based distributions, not just Ubuntu.

  • www.MyBurger.fr

    time to update =) it’s just one .exe after all, no installation or anything…

  • Anonymous

    Am I the only one bothered about how this was discovered merely a couple of days after 1.8 was released? Could uTorrent have another reason to get everyone to suddenly update?

  • Izkata

    I find it amusing that people defended Bittorrent Inc in the last uTorrent thread. Hopefully this should shut them up.

    Really, think about it: The exact same vulnerability discovered at the exact same time in two clients owned by Bittorrent Inc. Exactly how much of the good internal code did they replace with their version?!

  • anon

    Oh yes I’ll upgrade right away…. not . something doesnt smell right in torrentland.

  • Goon of Goons

    If they had another reason to get everyone to update that would actually justify the tinfoil-hat style reaction, people who know how to wireshark would put up reports.

    To date, NONE, that’s right, NONE, of the people who claim that uTorrent reports back to the *AAs have been able to prove it.

    The DHT traffic to router.utorrent.com is ONLY for bootstrapping. DHT traffic also includes torrents that have never been seen on your system, so any paranoia regarding being spied on through DHT is just stupid.

    Any *AA member that wants to spy on you uses their own client to connect to the same swarms you would. You’re not safe from them even if you write your own client from scratch.

  • asf

    I made a custom loader that checks the .torrent before starting utorrent for the vuln. in 1.6 (announce field buffer overflow that time) I guess I’ll just add this check too (1.6 foreva!)

  • nobody

    stop with the crashing crap, big deal it’s not like any body gonna do that your just giving a reason to make all the freakin private trackers ban this cause you don’t really “trust it” so stop with the crap.

  • AhHa

    So what is the best client to use?

  • Anonymous

    Dont use utorrent. Its made by people who have strong motives to compromise people who use bittorrent, and they don’t allow anyone to see their code.

    There are LOADS of alternatives to Utorrent.

    Whatever you use, make sure its opensource so you know what you’re using.

  • I like azureus

    @18

    I think azureus with the vuze interface disabled is the best bittorrent client for my needs.

    Its free, opensource, extensible, feature rich, reliable and native to Linux. That suits me.

  • –>

    Wait a moment?! Didn’t the same happen with the previous version? The timing is just way off and I don’t have to take this – again. I’m trying Hallite. Open source hasn’t disappointed me yet.

  • Anonymous

    utorrent mods on http://seba14.org

  • Serano

    Halite is good I really wish development would speed up on it a bit though but yes it is safe and open-source and not owned by a company just a single irish guy who does all of the coding.

    I’m currently running uTorrent 1.7.7 with no plans to update. It’s more of a “moral” issue for me. Bittorrent Inc. took over the codebase after 1.6 and while I was skeptic this doesn’t make sense. After all why would they want us to upgrade so bad? I’ve noticed that 97% of uTorrent users in the swarms I seen were still running 1.7.7 they are really pushing this upgrade.

    Azureus without Vuze is a great client but I still think I will be perminently moving to Halite.

  • Anonymous

    If you use open source clients like azureus, ktorrent or transmission, DONATE! and help speed up and improve development!

    Show your appreciation to the devs for providing free and open stuff for the rest of us to use.

  • Serano

    Update: I have everything migrated over to Halite now like I had been planning, works like a charm. ^^

  • @ lolexploit

    who cares about exploit ?

    keep with 1.6, and not going to untrusted sites, end of story.

    I mean, we already use windows, right … so talk about safety

  • Anonymous

    I really wonder what causes this dumbfuck disease. Instead of using something else the infected subjects just refuse to update the product from the assumed evil party. I first noticed this hypocrisy with respect to Microsoft’s products but nowadays it seems to affect other vendors as well.

  • Anonymous

    I don’t see why everyone hates this client so much. It has a security vulnerability! :O!!! So does the operating system you’re currently using, whether it is linux, osx, or windows.

    “Really, think about it: The exact same vulnerability discovered at the exact same time in two clients owned by Bittorrent Inc. Exactly how much of the good internal code did they replace with their version?!”

    I thought they were pretty much the same thing. Was that ever in question?

    “Show your appreciation to the devs for providing free and open stuff for the rest of us to use.”

    Yes, I agree. They do great work.

  • zuta

    i use utorrent 1.77 & prefer using that!!

  • amc1

    “The exact same vulnerability discovered at the exact same time in two clients owned by Bittorrent Inc.”
    That’s probably more to do with the fact that the official BT client is just a version of uTorrent rebranded. So not a surprise there.

    Just so that we can stop the FUD and misinformation – I modified an existing torrent to cause the problems mentioned if people want to test:
    http://www.divshare.com/download/5164526-1c8

    It seems to break all 1.7.x versions, and some of the 1.8 RC candidates. 1.6.1 seems OK, as does 1.8. In 1.6, it displays the torrent creation date in the Created On field. In 1.7 onwards, that was changed to include the date of creation, and what was in the Created By field. So it was new functionality, added in 1.7 – if you try to view the torrent information, it will break. In 1.8, it handles the large Created By text.

  • Anonymous

    Wow. If anyone ever wonders how people’s computers end up as part of a botnet, they can just read these comments.

    “Huh? Exploit? Execute arbitrary code? Duh, I see no reason to upgrade.”

  • JeanCar

    What is ‘Bit Torent’ for? (and if? how do you use it)

  • Gargamel

    Another exploit in utorrent? lol.

    I’ve been using the little blue Azureus 2504 for 3+ yrs and not one single problem.

    utorrents for machines that cant run a real client.

  • amc1

    “I’ve been using the little blue Azureus 2504 for 3+ yrs and not one single problem.”
    Wow – that’s made even more impressive that 2504 is only a year and a half old. ;)

  • Gargamel

    your right. Typo on my part. I meant been using Az for 3 years, i stopped upgrading at 2504.

    I havent bothered with Vuze, looks like bloatware. Is it any good?

  • Meocross

    @35

    i didnt go to Azureus because of the Bloatware that is Vuze, Vuze should be a addon you can decide install by choice, thats the only reason why im using utorrent. if there is another program like utorrent delete utorrent asap, this software is becoming too shady, its only a matter of time before they turn it into a rootkit

  • amc1

    Quick answer – if you just want to try an updated version of Azureus / Vuze, but want the same user interface – read this guide (with screenshots!):
    http://www.azureuswiki.com/index.php/The_Azureus_Experience

    You can give the Vuze UI a try if you want – some people like it, some don’t. You can access the old interface from inside the new one – which some people prefer.

  • Gargamel

    @36- Why not just use 2504? Its still widely accepted on almost all sites and extremely stable. I havent had a single problem with it.

    If you have the ram that is? its a bit heavier on the resources but i have 2gig of ram and i literally dont even notice its there.

  • Xec

    You can strip out the Vuze content layer pretty easily. I run 3.1.1.0 just fine because I disabled Vuze and just upgraded as normal. The only notable change now is the client is totally called Vuze but they kept Azureus peer ID to comply with trackers so it is still accepted fine. I will probably stick with it until one of the following things happen:

    1. The source closes for any reason
    2. It forces a Vuze upgrade

    In either case I will just find a fork and keep running off of that. Sure it’s a little hefty on the RAM but I have 3GB to spare just fine since I moved back to XP >:)

  • Meocross

    i only have 761 ram does that mean no azureus for me?(;.;)…..

  • Anonymous

    I used Azureus with 256m of ram on a 1ghz duron a lot. Just because you see the interface not update fast, doesn’t mean the client is not doing its job right. Stick to the latest java version and you should be fine.

  • Jim McDish

    Just what we need, more holes for hackers and undesirables to exploit! Scary indeed.

    JT
    http://www.FireMe.to/udi

  • Meocross

    Thanks for the heads up No.41 Anon ill go and download Vuze soon enough.

    and by the way this page was just posted on the front page of dig.com. LoL

    http://digg.com/tech_news/Critical_Vulnerability_Discovered_in_uTorrent

  • better than all of you!

    I think the torrent community should step away from utorrent. these issues would go away if they were open source…

  • Izkata

    I was hanging back on Azureus 3 for a long time, since I too hated the Vuze interface. Eventually I just gave, upgrade, and disabled all the Vuze portions. It’s actually pretty nice, since the Vuze stuff doesn’t take any memory when it’s disabled.

    There’s even several more plugins that don’t work in 2.5.0.4, one of which I LOVE: Estimated time until seeding goal reached.

    28: “I thought they were pretty much the same thing. Was that ever in question?”

    Well, now they are. I was talking about code replaced between when it was bought and now.

  • skeptic

    I have an odd feeling about this one. looks like something fishy going on here.

  • everyone

    Instead of upgrading, every µtorrent user should downgrade to 1.6; the last version before it was sold to bittorrent

    Never had any problem.

    And to the guy who mentionned botnet :
    loltard

  • fox chasing white fags chased by bears

    Only stupid fucks would use a proprietary bittorrent client.

    Can’t see the code? Black fucking box!

  • Zoness

    I’m happy with Azureus 3.1.1.0 myself I don’t have to worry about OMG SPIEZ or any of that crap with nice open source code. RAM is only argument I hear from people who are against the client but it runs pretty well on some older machines of mine. Worst case scenario you strip out a lot of the plugins and the Vuze content layer and it makes a difference.

  • rehased story

    by Anonymous

    Am I the only one bothered about how this was discovered merely a couple of days after 1.8 was released? Could uTorrent have another reason to get everyone to suddenly update?

    This story came out not long after 1.7 was out. And it now gets rehashed
    to coincide with screwtorrents latest
    sheep machine

    This happens at every new version now. And why is one needed every 6 months? btw you can run many different bt apps, even at the same time. So why not try some others?

  • Anonymous

    Holy shit will you people stfu about open source. A company isn’t liable to show you their code.

    Instead of whining like little children about how much you hate this client.. why don’t you go write your own. :) Oh wait.. you can’t? Oh I’m sorry.

    @ the downgrade-preaching people: Yeah yeah and I assume you think Windows sucks because it’s owned by Microsoft huh. Yeah, whatever. Fucking retards with peanut-sized brains.

    Oh and one last thing. Java sucks ass. Sorry Azureus.

  • Anonymous

    I think Digg’s comment stupidity is spreading to other websites.

  • Anonymous

    Holy sh*t will you people stfu about open source. A company isn’t liable to show you their code.

    Instead of whining like little children about how much you hate this client.. why don’t you go write your own. :) Oh wait.. you can’t? Oh I’m sorry.

    @ the downgrade-preaching people: Yeah yeah and I assume you think Windows sucks because it’s owned by Microsoft huh. Yeah, whatever. F*cking retards with peanut-sized brains.

    Oh and one last thing. Java sucks *ss. Sorry Azureus.

  • Anonymous

    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .It’s a trap! . . .
    . . . . . . . . . . . . . . . . _,,,–~~~~~~~~–,_ . . . . . . . . . . . . . .
    . . . . . . . . . . . . . . ,-’ : : : :::: :::: :: : : : : :º ‘-, . . . . . . . . . . . .
    . . . . . . . . . . . . .,-’ :: : : :::: :::: :::: :::: : : :o : ‘-, . . . . . . . . . .
    . . . . . . . . . . . ,-’ :: ::: :: : : :: :::: :::: :: : : : : :O ‘-, . . . . . . . . .
    . . . . . . . . . .,-’ : :: :: :: :: :: : : : : : , : : :º :::: :::: ::’; . . . . . . . .
    . . . . . . . . .,-’ / / : :: :: :: :: : : :::: :::-, ;; ;; ;; ;; ;; ;; ; . . . . . . . .
    . . . . . . . . /,-’,’ :: : : : : : : : : :: :: :: : ‘-, ;; ;; ;; ;; ;; ;;| . . . . . . .
    . . . . . . . /,’,-’ :: :: :: :: :: :: :: : ::_,-~~,_’-, ;; ;; ;; ;; | . . . . . . .
    . . . . . _/ :,’ :/ :: :: :: : : :: :: _,-’/ : ,-’;'-””’~-, ;; ;; ;;,’ . . . . . . . .
    . . . ,-’ / : : : : : : ,-”’ : : :,–” :|| /,-’-'–”’__,”’ ;; ;,-’ . . . . . . . .
    . . . :/,, : : : _,-’ –,,_ : : : ||/ /,-’-'x### :: ;;/ . . . . . . . . . .
    . . . . / /—”” : # : : : : : | | : (O##º : :/ /-” . . . . . . . . . . .
    . . . . /,’____ : : ‘-# : , : : : : ‘-,___,-’,-`-,, . . . . . . . . . . .
    . . . . ‘ ) : : : :””–,,–,,,,,,¯ :: ::–,,_”-,,”’¯ :’- :’-, . . . . . . . . .
    . . . . .) : : : : : : ,, : ””~~~~’ :: :: :: :””’¯ :: ,-’ :,/ . . . . . . . . .
    . . . . .,/ /|\| | :/ / : : : : : : : ,’-, :: :: :: :: ::,–” :,-’ . . . . . . . .
    . . . . .\’|\ |/ ‘/ / :: :_–,, : , | )’; :: :: :: :,-” : ,-’ : : : , . . . . . . .
    . . . ./¯ :| | : |/ :: ::—-, :/ :|/ :: :: ,-” : :,-’ : : : : : : ”-,,_ . . . .
    . . ..| : : :/ ”-(, :: :: :: ””’~,,,,,” :: ,-” : :,-’ : : : : : : : : :,-”’\ . . . .
    . ,-’ : : : | : : ”) : : :¯””~-,: : ,–”’ : :,-” : : : : : : : : : ,-’ :¯””’-,_ .
    ./ : : : : :’-, :: | :: :: :: _,,-””¯ : ,–” : : : : : : : : : : : / : : : : : : :”-,
    / : : : : : -, :¯”””””’¯ : : _,,-~” : : : : : : : : : : : : : :| : : : : : : : : :
    : : : : : : :¯”~~~~~~”’ : : : : : : : : : : : : : : : : : : | : : : : : : : : :

  • pSynrg

    One things for sure – it should never have been called a ‘swarm’.
    Rather a flock…

    Baaaaaa

  • Anon

    well to avoid the exploit just don’t download any recent torrent uploads

  • watching-

    any private tracker that knows anything will have controlled those exploits that are present and banned anything above 1.6.1 – DAAAAAa
    who owns them ? why Both clients are being developed by BitTorrent Inc.

    and who owns Bram Cohen and BitTorrent, Inc. ass lock stock n barrel ?

    Well the old saying is true stupid is stupid does-

    also the facts are wrong all utorrent was was a reverse engineering job of bitcomet – thats wtf ludde did

  • Anonymous

    On top of this nice news, 1.8 seems slow as hell, even when there are a ton of seeders.

  • Anonymous

    May be µTorrent v1.8 is the one with the problem. Or somebody who is jealous of its popularity is trying to trick people to dispose it.When I read all of this I feel like going to Azureus.But I am going to stick with µTorrent.I don’t know anything about programing or the technical stuff like that but when I view the peers list 95% of them are using µTorrent.

  • Anonymous I think

    May be µTorrent v1.8 is the one with the problem. Or somebody who is jealous of its popularity is trying to trick people to dispose it.When I read all of this I feel like going to Azureus.But I am going to stick with µTorrent.I don’t know anything about programing or the technical stuff like that but when I view the peers list 95% of them are using µTorrent.

  • lollol

    µTorrent fucking sucks. bitcomet > ANY FUCKING THING!

  • Nurrr

    LMAO Bitcomet more like bannedcomet

    People talk of the bloatware of Azureus but you can remove anything you don’t want you know. Azureus is for people with real computers :>

  • Buggy

    I really don’t know what people are complaining about with uTorrent. Version 1.8 has some nice new features, no bugs I’ve ever seen and is definitely not sending information straight to the authorities. I understand people using other clients (except Vuze/Azureus that thing is a massive memory hog) but why bash uTorrent? The only other client I’ve liked is BitComet but it doesn’t appear to support RSS downloading which I’ve really started to love.

  • ngbg

    Well, I did the update. If not I have no use of utorrent since I´ll be BANNED in most torrentsites that is important to me, so…

  • Anonymous

    I don’t recommend BitComet it abuses the optomistic unchoke function to take priority over others in the swarm, most closed trackers don’t allow it.

  • oneplusone

    Yeah, everyone knows Java’s not very secure.

    10 JRE updates a week make me wonder why Azureus is considered so much safer by so many people.

  • Anonymous

    How do you downgrade back to 1.7.7?

  • Anonymous

    You can get µTorrent v1.7.7 from here:

    http://www.oldapps.com/

    Or the older versions of any other bit torrent client

  • Anonymous

    It’s the same, every time a new version is released they say older version has bugs and their explanation is almost the same
    Vulnerability,buffer overflow blah, blah
    See here:
    http://torrentfreak.com/utorrent-vulnerable-to-remote-exploits/

  • Phishybongwaters

    ok, i love utorrent, and will probably always use it as my preferred client.

    Here’s the thing. I just installed 1.8 and I have a few concerns.

    first off, there is now a built in timer for the ‘update tracker’ function, which stops me from hammering updates to the tracker to pickup more peers. due to the type and quality of my connection, i need to cap the uploads pretty low until i complete the torrent, then i change the number of upload slots, uncap the upload, and update the tracker a few times. now I can’t, which leads directly to the next issue.

    As stated i need to cap my upload speeds. Most guides suggest 80%. If you don’t mind your download suffering, that’s great. I cap to 5k until it’s done, then let it open wide for a few days or so.

    well, my tests showed me something interesting.

    Utorrent 1.7 with the upload capped to 5k, on a specific torrent, lets my download at 600kbps.

    Utorrent 1.8 with the upload cap set to 25 or above lets me hit that 600kbps. The very instant i cap it to anything lower than 25kbps, my download drops to 100kbps max, and sits there until i uncap the upload.

    I tested and retested, same results every time on several torrents. They’ve changed the forced share ratio to guess your max upload (or go by the settings you provided) and it literally messes with your download unless you uncap to something around 75%.

    bollox my friends, bollox.

  • Anonymous

    Thanks #69

  • Firon

    No such cap has been implemented at those upload speeds, #70.

  • Anonimus

    Why they want to upgrade to v1.8 of utorrent? I think v1.8 have some bugs and they want more users to have v1.8 this way they can exploit this bug :)))

  • Anonymous

    Did you try using different trackers #70

  • Anonymous

    How do you find a Vulnerability if the program is not open source

  • Anonymous

    Comment trouvez-vous une vulnérabilité si le programme n’est pas open source

  • Anonymous

    Hoe vindt u een kwetsbaarheid als het programma niet open source

  • stuffies

    Only n00bs would believe this bullshit.

  • Marc

    @70, yeah, since version 1.8 they have a trick built in. you cant cap your upload speed too low or else it severely limits your download, which can be a problem in some cases when you run into a torrent that is really slow downloading for example. its built in, no way of changing that, if you cap below 4-5 or 6 k/s, depending on the version you are trying, it limits your download speed big time. i tested this and then went back to 1.7.7, i am thinking of switching to something else anyway … deluge is supposed to be good too ???

  • Anonymous

    Switch to Halite

  • pissed off

    fuck this, I don’t want to upgrade to 1.8, that’s total bullshit that trackers are forcing us to switch to it, fucking bullshit, it’s flawed.

  • Rhys

    I discovered this vulnerability by doing some basic reverse engineering of uTorrent quite some time ago.

    The vulnerability occurs because the coders of uTorrent continue to use a known unsafe memory API to move blocks of information around.

    Is it a deliberate attempt by RIAA/MPAA etc? No, it’s just simply lazy coding.

    Microsoft was hit by these same type of issues back in 2001-2003, but they took the time to update their code. uTorrent simply didn’t. They need to improve their internal secure coding techniques and improve developer training.

    No conspiracy here, just laziness.

  • BTGuard - BitTorrent Anonymously

NewsBits

Even more news...

  • Blu-ray Anti-Piracy Tech Stops Discs and Promotes Purchases

    An anti-piracy system present in all official Blu-ray players since 2012 has received a fresh update...

  • Foxtel Breeds Pirates by Locking Up Game of Thrones

    One of the main reasons why people turn to piracy is the lack of legal alternatives....

  • UK Student Admits Breaching Sony Copyrights With Leak of PS3 SDK

    Last year an Internet user known as El Nomeo leaked version 3.70 of Sony’s Playstation3 SDK...

  • Pirates Can Be Identified Despite Sharing IP Addresses, ISP Claims

    Carrier-Grade Network Address Translation is a network mechanism through which many Internet subscribers can share the...

  • Feds Seize Cash from Major Bitcoin Exchange’s Dwolla Account

    The U.S. Government has taken a significant action against the web’s top Bitcoin exchange by seizing...

MostDiscussed

Below are TorrentFreak's most discussed articles of the past month. Join the discussion if you like.

CopyQuote

Left Quote

“The Pirate Bay has been one of the most important movements in Sweden for freedom of speech, working against corruption and censorship.

Peter Sunde Left Quote

PopularArticles

A selection of some TorrentFreak's classics dug up from our archives.