Comments on: Critical Vulnerability Discovered in uTorrent

By: Rhys

Rhys — Fri, 22 Aug 2008 12:05:47 +0000

I discovered this vulnerability by doing some basic reverse engineering of uTorrent quite some time ago.

The vulnerability occurs because the coders of uTorrent continue to use a known unsafe memory API to move blocks of information around.

Is it a deliberate attempt by RIAA/MPAA etc? No, it’s just simply lazy coding.

Microsoft was hit by these same type of issues back in 2001-2003, but they took the time to update their code. uTorrent simply didn’t. They need to improve their internal secure coding techniques and improve developer training.

No conspiracy here, just laziness.

By: pissed off

pissed off — Thu, 21 Aug 2008 22:37:14 +0000

fuck this, I don’t want to upgrade to 1.8, that’s total bullshit that trackers are forcing us to switch to it, fucking bullshit, it’s flawed.

By: Anonymous

Anonymous — Sun, 17 Aug 2008 12:14:04 +0000

Switch to Halite

By: Marc

Marc — Sat, 16 Aug 2008 15:49:57 +0000

@70, yeah, since version 1.8 they have a trick built in. you cant cap your upload speed too low or else it severely limits your download, which can be a problem in some cases when you run into a torrent that is really slow downloading for example. its built in, no way of changing that, if you cap below 4-5 or 6 k/s, depending on the version you are trying, it limits your download speed big time. i tested this and then went back to 1.7.7, i am thinking of switching to something else anyway … deluge is supposed to be good too ???

By: stuffies

stuffies — Sat, 16 Aug 2008 14:33:46 +0000

Only n00bs would believe this bullshit.

By: Anonymous

Anonymous — Sat, 16 Aug 2008 13:54:03 +0000

Hoe vindt u een kwetsbaarheid als het programma niet open source

By: Anonymous

Anonymous — Sat, 16 Aug 2008 13:53:34 +0000

Comment trouvez-vous une vulnÃ©rabilitÃ© si le programme n’est pas open source

By: Anonymous

Anonymous — Sat, 16 Aug 2008 13:51:40 +0000

How do you find a Vulnerability if the program is not open source

By: Anonymous

Anonymous — Fri, 15 Aug 2008 11:52:18 +0000

Did you try using different trackers #70

By: Anonimus

Anonimus — Fri, 15 Aug 2008 07:14:08 +0000

Why they want to upgrade to v1.8 of utorrent? I think v1.8 have some bugs and they want more users to have v1.8 this way they can exploit this bug :)))

By: Firon

Firon — Fri, 15 Aug 2008 05:46:27 +0000

No such cap has been implemented at those upload speeds, #70.

By: Anonymous

Anonymous — Thu, 14 Aug 2008 06:58:48 +0000

Thanks #69

By: Phishybongwaters

Phishybongwaters — Thu, 14 Aug 2008 06:49:45 +0000

ok, i love utorrent, and will probably always use it as my preferred client.

Here’s the thing. I just installed 1.8 and I have a few concerns.

first off, there is now a built in timer for the ‘update tracker’ function, which stops me from hammering updates to the tracker to pickup more peers. due to the type and quality of my connection, i need to cap the uploads pretty low until i complete the torrent, then i change the number of upload slots, uncap the upload, and update the tracker a few times. now I can’t, which leads directly to the next issue.

As stated i need to cap my upload speeds. Most guides suggest 80%. If you don’t mind your download suffering, that’s great. I cap to 5k until it’s done, then let it open wide for a few days or so.

well, my tests showed me something interesting.

Utorrent 1.7 with the upload capped to 5k, on a specific torrent, lets my download at 600kbps.

Utorrent 1.8 with the upload cap set to 25 or above lets me hit that 600kbps. The very instant i cap it to anything lower than 25kbps, my download drops to 100kbps max, and sits there until i uncap the upload.

I tested and retested, same results every time on several torrents. They’ve changed the forced share ratio to guess your max upload (or go by the settings you provided) and it literally messes with your download unless you uncap to something around 75%.

bollox my friends, bollox.

By: Anonymous

Anonymous — Thu, 14 Aug 2008 02:24:53 +0000

It’s the same, every time a new version is released they say older version has bugs and their explanation is almost the same
Vulnerability,buffer overflow blah, blah
See here:
http://torrentfreak.com/utorrent-vulnerable-to-remote-exploits/

By: Anonymous

Anonymous — Thu, 14 Aug 2008 01:07:39 +0000

You can get ÂµTorrent v1.7.7 from here:

http://www.oldapps.com/

Or the older versions of any other bit torrent client

By: Anonymous

Anonymous — Wed, 13 Aug 2008 20:46:20 +0000

How do you downgrade back to 1.7.7?

By: oneplusone

oneplusone — Wed, 13 Aug 2008 19:11:38 +0000

Yeah, everyone knows Java’s not very secure.

10 JRE updates a week make me wonder why Azureus is considered so much safer by so many people.

By: Anonymous

Anonymous — Wed, 13 Aug 2008 18:05:40 +0000

I don’t recommend BitComet it abuses the optomistic unchoke function to take priority over others in the swarm, most closed trackers don’t allow it.

By: ngbg

ngbg — Wed, 13 Aug 2008 13:36:10 +0000

Well, I did the update. If not I have no use of utorrent since IÂ´ll be BANNED in most torrentsites that is important to me, so…

By: Buggy

Buggy — Wed, 13 Aug 2008 13:28:29 +0000

I really don’t know what people are complaining about with uTorrent. Version 1.8 has some nice new features, no bugs I’ve ever seen and is definitely not sending information straight to the authorities. I understand people using other clients (except Vuze/Azureus that thing is a massive memory hog) but why bash uTorrent? The only other client I’ve liked is BitComet but it doesn’t appear to support RSS downloading which I’ve really started to love.