Comments on: Critical Vulnerability Discovered in uTorrent

By: Rhys

Rhys — Fri, 22 Aug 2008 12:05:47 +0000

I discovered this vulnerability by doing some basic reverse engineering of uTorrent quite some time ago.

The vulnerability occurs because the coders of uTorrent continue to use a known unsafe memory API to move blocks of information around.

Is it a deliberate attempt by RIAA/MPAA etc? No, it’s just simply lazy coding.

Microsoft was hit by these same type of issues back in 2001-2003, but they took the time to update their code. uTorrent simply didn’t. They need to improve their internal secure coding techniques and improve developer training.

No conspiracy here, just laziness.

By: pissed off

pissed off — Thu, 21 Aug 2008 22:37:14 +0000

fuck this, I don’t want to upgrade to 1.8, that’s total bullshit that trackers are forcing us to switch to it, fucking bullshit, it’s flawed.

By: Anonymous

Anonymous — Sun, 17 Aug 2008 12:14:04 +0000

Switch to Halite

By: Marc

Marc — Sat, 16 Aug 2008 15:49:57 +0000

@70, yeah, since version 1.8 they have a trick built in. you cant cap your upload speed too low or else it severely limits your download, which can be a problem in some cases when you run into a torrent that is really slow downloading for example. its built in, no way of changing that, if you cap below 4-5 or 6 k/s, depending on the version you are trying, it limits your download speed big time. i tested this and then went back to 1.7.7, i am thinking of switching to something else anyway … deluge is supposed to be good too ???

By: stuffies

stuffies — Sat, 16 Aug 2008 14:33:46 +0000

Only n00bs would believe this bullshit.

By: Anonymous

Anonymous — Sat, 16 Aug 2008 13:54:03 +0000

Hoe vindt u een kwetsbaarheid als het programma niet open source

By: Anonymous

Anonymous — Sat, 16 Aug 2008 13:53:34 +0000

Comment trouvez-vous une vulnÃ©rabilitÃ© si le programme n’est pas open source

By: Anonymous

Anonymous — Sat, 16 Aug 2008 13:51:40 +0000

How do you find a Vulnerability if the program is not open source

By: Anonymous

Anonymous — Fri, 15 Aug 2008 11:52:18 +0000

Did you try using different trackers #70

By: Anonimus

Anonimus — Fri, 15 Aug 2008 07:14:08 +0000

Why they want to upgrade to v1.8 of utorrent? I think v1.8 have some bugs and they want more users to have v1.8 this way they can exploit this bug :)))

By: Firon

Firon — Fri, 15 Aug 2008 05:46:27 +0000

No such cap has been implemented at those upload speeds, #70.

By: Anonymous

Anonymous — Thu, 14 Aug 2008 06:58:48 +0000

Thanks #69

By: Phishybongwaters

Phishybongwaters — Thu, 14 Aug 2008 06:49:45 +0000

ok, i love utorrent, and will probably always use it as my preferred client.

Here’s the thing. I just installed 1.8 and I have a few concerns.

first off, there is now a built in timer for the ‘update tracker’ function, which stops me from hammering updates to the tracker to pickup more peers. due to the type and quality of my connection, i need to cap the uploads pretty low until i complete the torrent, then i change the number of upload slots, uncap the upload, and update the tracker a few times. now I can’t, which leads directly to the next issue.

As stated i need to cap my upload speeds. Most guides suggest 80%. If you don’t mind your download suffering, that’s great. I cap to 5k until it’s done, then let it open wide for a few days or so.

well, my tests showed me something interesting.

Utorrent 1.7 with the upload capped to 5k, on a specific torrent, lets my download at 600kbps.

Utorrent 1.8 with the upload cap set to 25 or above lets me hit that 600kbps. The very instant i cap it to anything lower than 25kbps, my download drops to 100kbps max, and sits there until i uncap the upload.

I tested and retested, same results every time on several torrents. They’ve changed the forced share ratio to guess your max upload (or go by the settings you provided) and it literally messes with your download unless you uncap to something around 75%.

bollox my friends, bollox.

By: Anonymous

Anonymous — Thu, 14 Aug 2008 02:24:53 +0000

It’s the same, every time a new version is released they say older version has bugs and their explanation is almost the same
Vulnerability,buffer overflow blah, blah
See here:
http://torrentfreak.com/utorrent-vulnerable-to-remote-exploits/

By: Anonymous

Anonymous — Thu, 14 Aug 2008 01:07:39 +0000

You can get ÂµTorrent v1.7.7 from here:

http://www.oldapps.com/

Or the older versions of any other bit torrent client

By: Anonymous

Anonymous — Wed, 13 Aug 2008 20:46:20 +0000

How do you downgrade back to 1.7.7?

By: oneplusone

oneplusone — Wed, 13 Aug 2008 19:11:38 +0000

Yeah, everyone knows Java’s not very secure.

10 JRE updates a week make me wonder why Azureus is considered so much safer by so many people.

By: Anonymous

Anonymous — Wed, 13 Aug 2008 18:05:40 +0000

I don’t recommend BitComet it abuses the optomistic unchoke function to take priority over others in the swarm, most closed trackers don’t allow it.

By: ngbg

ngbg — Wed, 13 Aug 2008 13:36:10 +0000

Well, I did the update. If not I have no use of utorrent since IÂ´ll be BANNED in most torrentsites that is important to me, so…

By: Buggy

Buggy — Wed, 13 Aug 2008 13:28:29 +0000

I really don’t know what people are complaining about with uTorrent. Version 1.8 has some nice new features, no bugs I’ve ever seen and is definitely not sending information straight to the authorities. I understand people using other clients (except Vuze/Azureus that thing is a massive memory hog) but why bash uTorrent? The only other client I’ve liked is BitComet but it doesn’t appear to support RSS downloading which I’ve really started to love.

By: Nurrr

Nurrr — Wed, 13 Aug 2008 13:24:52 +0000

LMAO Bitcomet more like bannedcomet

People talk of the bloatware of Azureus but you can remove anything you don’t want you know. Azureus is for people with real computers :>

By: lollol

lollol — Wed, 13 Aug 2008 10:35:39 +0000

ÂµTorrent fucking sucks. bitcomet > ANY FUCKING THING!

By: Anonymous I think

Anonymous I think — Wed, 13 Aug 2008 10:13:11 +0000

May be ÂµTorrent v1.8 is the one with the problem. Or somebody who is jealous of its popularity is trying to trick people to dispose it.When I read all of this I feel like going to Azureus.But I am going to stick with ÂµTorrent.I don’t know anything about programing or the technical stuff like that but when I view the peers list 95% of them are using ÂµTorrent.

By: Anonymous

Anonymous — Wed, 13 Aug 2008 10:12:46 +0000

By: Anonymous

Anonymous — Wed, 13 Aug 2008 07:45:56 +0000

On top of this nice news, 1.8 seems slow as hell, even when there are a ton of seeders.

By: watching-

watching- — Wed, 13 Aug 2008 07:07:38 +0000

any private tracker that knows anything will have controlled those exploits that are present and banned anything above 1.6.1 – DAAAAAa
who owns them ? why Both clients are being developed by BitTorrent Inc.

and who owns Bram Cohen and BitTorrent, Inc. ass lock stock n barrel ?

Well the old saying is true stupid is stupid does-

also the facts are wrong all utorrent was was a reverse engineering job of bitcomet – thats wtf ludde did

By: Anon

Anon — Wed, 13 Aug 2008 02:47:51 +0000

well to avoid the exploit just don’t download any recent torrent uploads

By: pSynrg

pSynrg — Wed, 13 Aug 2008 02:38:10 +0000

One things for sure – it should never have been called a ‘swarm’.
Rather a flock…

Baaaaaa

By: Anonymous

Anonymous — Wed, 13 Aug 2008 02:32:49 +0000

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .It's a trap! . . . . . . . . . . . . . . . . . . . _,,,--~~~~~~~~--,_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . ,-' : : : :::: :::: :: : : : : :Âº '-, . . . . . . . . . . . . . . . . . . . . . . . . .,-' :: : : :::: :::: :::: :::: : : :o : '-, . . . . . . . . . . . . . . . . . . . . . ,-' :: ::: :: : : :: :::: :::: :: : : : : :O '-, . . . . . . . . . . . . . . . . . . .,-' : :: :: :: :: :: : : : : : , : : :Âº :::: :::: ::'; . . . . . . . . . . . . . . . . .,-' / / : :: :: :: :: : : :::: :::-, ;; ;; ;; ;; ;; ;; ; . . . . . . . . . . . . . . . . /,-',' :: : : : : : : : : :: :: :: : '-, ;; ;; ;; ;; ;; ;;| . . . . . . . . . . . . . . /,',-' :: :: :: :: :: :: :: : ::_,-~~,_'-, ;; ;; ;; ;; | . . . . . . . . . . . . _/ :,' :/ :: :: :: : : :: :: _,-'/ : ,-';'-'''''~-, ;; ;; ;;,' . . . . . . . . . . . ,-' / : : : : : : ,-''' : : :,--'' :|| /,-'-'--'''__,''' ;; ;,-' . . . . . . . . . . . :/,, : : : _,-' --,,_ : : : ||/ /,-'-'x### :: ;;/ . . . . . . . . . . . . . . / /---'''' : # : : : : : | | : (O##Âº : :/ /-'' . . . . . . . . . . . . . . . /,'____ : : '-# : , : : : : '-,___,-',-`-,, . . . . . . . . . . . . . . . ' ) : : : :''''--,,--,,,,,,Â¯ :: ::--,,_''-,,'''Â¯ :'- :'-, . . . . . . . . . . . . . .) : : : : : : ,, : ''''~~~~' :: :: :: :'''''Â¯ :: ,-' :,/ . . . . . . . . . . . . . .,/ /|\| | :/ / : : : : : : : ,'-, :: :: :: :: ::,--'' :,-' . . . . . . . . . . . . .\'|\ |/ '/ / :: :_--,, : , | )'; :: :: :: :,-'' : ,-' : : : , . . . . . . . . . . ./Â¯ :| | : |/ :: ::----, :/ :|/ :: :: ,-'' : :,-' : : : : : : ''-,,_ . . . . . . ..| : : :/ ''-(, :: :: :: '''''~,,,,,'' :: ,-'' : :,-' : : : : : : : : :,-'''\ . . . . . ,-' : : : | : : '') : : :Â¯''''~-,: : ,--''' : :,-'' : : : : : : : : : ,-' :Â¯'''''-,_ . ./ : : : : :'-, :: | :: :: :: _,,-''''Â¯ : ,--'' : : : : : : : : : : : / : : : : : : :''-, / : : : : : -, :Â¯'''''''''''Â¯ : : _,,-~'' : : : : : : : : : : : : : :| : : : : : : : : : : : : : : : :Â¯''~~~~~~''' : : : : : : : : : : : : : : : : : : | : : : : : : : : :

By: Anonymous

Anonymous — Wed, 13 Aug 2008 02:27:51 +0000

Holy sh*t will you people stfu about open source. A company isn’t liable to show you their code.

Instead of whining like little children about how much you hate this client.. why don’t you go write your own. :) Oh wait.. you can’t? Oh I’m sorry.

@ the downgrade-preaching people: Yeah yeah and I assume you think Windows sucks because it’s owned by Microsoft huh. Yeah, whatever. F*cking retards with peanut-sized brains.

Oh and one last thing. Java sucks *ss. Sorry Azureus.

By: Anonymous

Anonymous — Wed, 13 Aug 2008 02:26:44 +0000

I think Digg’s comment stupidity is spreading to other websites.

By: Anonymous

Anonymous — Wed, 13 Aug 2008 02:25:06 +0000

Holy shit will you people stfu about open source. A company isn’t liable to show you their code.

Instead of whining like little children about how much you hate this client.. why don’t you go write your own. :) Oh wait.. you can’t? Oh I’m sorry.

@ the downgrade-preaching people: Yeah yeah and I assume you think Windows sucks because it’s owned by Microsoft huh. Yeah, whatever. Fucking retards with peanut-sized brains.

Oh and one last thing. Java sucks ass. Sorry Azureus.

By: rehased story

rehased story — Wed, 13 Aug 2008 01:39:30 +0000

by Anonymous

Am I the only one bothered about how this was discovered merely a couple of days after 1.8 was released? Could uTorrent have another reason to get everyone to suddenly update?

This story came out not long after 1.7 was out. And it now gets rehashed
to coincide with screwtorrents latest
sheep machine

This happens at every new version now. And why is one needed every 6 months? btw you can run many different bt apps, even at the same time. So why not try some others?

By: Zoness

Zoness — Wed, 13 Aug 2008 01:02:04 +0000

I’m happy with Azureus 3.1.1.0 myself I don’t have to worry about OMG SPIEZ or any of that crap with nice open source code. RAM is only argument I hear from people who are against the client but it runs pretty well on some older machines of mine. Worst case scenario you strip out a lot of the plugins and the Vuze content layer and it makes a difference.

By: fox chasing white fags chased by bears

fox chasing white fags chased by bears — Wed, 13 Aug 2008 00:58:29 +0000

Only stupid fucks would use a proprietary bittorrent client.

Can’t see the code? Black fucking box!

By: everyone

everyone — Wed, 13 Aug 2008 00:41:11 +0000

Instead of upgrading, every Âµtorrent user should downgrade to 1.6; the last version before it was sold to bittorrent

Never had any problem.

And to the guy who mentionned botnet :
loltard

By: skeptic

skeptic — Tue, 12 Aug 2008 23:24:12 +0000

I have an odd feeling about this one. looks like something fishy going on here.

By: Izkata

Izkata — Tue, 12 Aug 2008 23:17:03 +0000

I was hanging back on Azureus 3 for a long time, since I too hated the Vuze interface. Eventually I just gave, upgrade, and disabled all the Vuze portions. It’s actually pretty nice, since the Vuze stuff doesn’t take any memory when it’s disabled.

There’s even several more plugins that don’t work in 2.5.0.4, one of which I LOVE: Estimated time until seeding goal reached.

28: “I thought they were pretty much the same thing. Was that ever in question?”

Well, now they are. I was talking about code replaced between when it was bought and now.

By: better than all of you!

better than all of you! — Tue, 12 Aug 2008 22:02:48 +0000

I think the torrent community should step away from utorrent. these issues would go away if they were open source…

By: Meocross

Meocross — Tue, 12 Aug 2008 21:57:08 +0000

Thanks for the heads up No.41 Anon ill go and download Vuze soon enough.

and by the way this page was just posted on the front page of dig.com. LoL

http://digg.com/tech_news/Critical_Vulnerability_Discovered_in_uTorrent

By: Jim McDish

Jim McDish — Tue, 12 Aug 2008 21:49:23 +0000

Just what we need, more holes for hackers and undesirables to exploit! Scary indeed.

JT
http://www.FireMe.to/udi

By: Anonymous

Anonymous — Tue, 12 Aug 2008 21:48:40 +0000

I used Azureus with 256m of ram on a 1ghz duron a lot. Just because you see the interface not update fast, doesn’t mean the client is not doing its job right. Stick to the latest java version and you should be fine.

By: Meocross

Meocross — Tue, 12 Aug 2008 20:52:49 +0000

i only have 761 ram does that mean no azureus for me?(;.;)…..

By: Xec

Xec — Tue, 12 Aug 2008 19:31:22 +0000

You can strip out the Vuze content layer pretty easily. I run 3.1.1.0 just fine because I disabled Vuze and just upgraded as normal. The only notable change now is the client is totally called Vuze but they kept Azureus peer ID to comply with trackers so it is still accepted fine. I will probably stick with it until one of the following things happen:

1. The source closes for any reason
2. It forces a Vuze upgrade

In either case I will just find a fork and keep running off of that. Sure it’s a little hefty on the RAM but I have 3GB to spare just fine since I moved back to XP >:)

By: Gargamel

Gargamel — Tue, 12 Aug 2008 18:39:18 +0000

@36- Why not just use 2504? Its still widely accepted on almost all sites and extremely stable. I havent had a single problem with it.

If you have the ram that is? its a bit heavier on the resources but i have 2gig of ram and i literally dont even notice its there.

By: amc1

amc1 — Tue, 12 Aug 2008 18:38:16 +0000

Quick answer – if you just want to try an updated version of Azureus / Vuze, but want the same user interface – read this guide (with screenshots!):
http://www.azureuswiki.com/index.php/The_Azureus_Experience

You can give the Vuze UI a try if you want – some people like it, some don’t. You can access the old interface from inside the new one – which some people prefer.

By: Meocross

Meocross — Tue, 12 Aug 2008 18:31:34 +0000

@35

i didnt go to Azureus because of the Bloatware that is Vuze, Vuze should be a addon you can decide install by choice, thats the only reason why im using utorrent. if there is another program like utorrent delete utorrent asap, this software is becoming too shady, its only a matter of time before they turn it into a rootkit

By: Gargamel

Gargamel — Tue, 12 Aug 2008 18:24:24 +0000

your right. Typo on my part. I meant been using Az for 3 years, i stopped upgrading at 2504.

I havent bothered with Vuze, looks like bloatware. Is it any good?

By: amc1

amc1 — Tue, 12 Aug 2008 18:19:17 +0000

“I’ve been using the little blue Azureus 2504 for 3+ yrs and not one single problem.”
Wow – that’s made even more impressive that 2504 is only a year and a half old. ;)

By: Gargamel

Gargamel — Tue, 12 Aug 2008 18:13:10 +0000

Another exploit in utorrent? lol.

I’ve been using the little blue Azureus 2504 for 3+ yrs and not one single problem.

utorrents for machines that cant run a real client.