Critical Vulnerability Discovered in uTorrent

[U2Lynne]

Quote:

A vulnerability described as ‘critical’ has been discovered in versions of uTorrent and the official BitTorrent client. The ‘buffer overflow’ vulnerability can be exploited to compromise a user’s computer for the execution of arbitrary code. It is suggested that users should immediately update to uTorrent version 1.8 RC7 or higher. There is currently no fix for the official client.

Read more...

uTorrent version 1.8 available here

[mooncusser]

interesting that my client is only prompting me to update to 1.8 RC6 (not 7). And it only does that if I enable updates to beta versions. I thought 1.8 is in stable release.

[Five]

looking over here:
http://www.filehippo.com/download_utorrent/

I notice that they're listing plain old "1.8" as being a higher version than 1.8 RC7

I downloaded "1.8" from filehippo and "1.8 (stable)" from the utorrent site and the checksums match, so seems like that is the most recent version at the moment

eaa865631b18d6c8ec5b34082f41c91a

thanks for the headsup

[Chaosu]

Yup, stable is newer:
http://forum.utorrent.com/viewtopic.php?id=44003

[U2Lynne]

RC means Release Candidate. So RC versions are versions they are hoping are stable enough to become the actual release, but aren't necessarily so. So yes, a stable 1.8 version is going to be 'better' that an RC version with the same version number.

[thejoker]

Utorrent is real shit because my internet provider called my 3 times because i was hacking with PHP and i thought i had virus or something but when i formated my cumputer and i found something to download from the tradersden or dimeadozen i used Utorrent again and they called my again fro php attack but that time i had a fresh windows and no virus was there. That time i asked the time of the attack and it was when i was downloading with Utorrent and exactly when i closed it. so i just deleted it and get back the old bitornado i had no call since.

I don't trust utorrent anymore becarfull if you use it by now

[Five]

anybody else experience this?

[glens]

I have not experienced any issues with uTorrent since 1.5....but NOTE: uTorrent Admin cites "This latest exploit affects all unicode enabled versions prior to 1.8 RC7. (which is as early as 1.5, I believe)"

[rspencer]

I've had constant "offline" status for trackers since "upgrading" yesterday. Downloads & uploads at a minimum. Not firewalled (at all, cut it off completely to see if that would help). Had no issues whatsoever before switching to 1.8.

[krokodyle]

I do no plan on upgrading my uTorrent any further (I'm at 1.7.7), so I really hope it doesn't get banned. It's not like this exploit hasn't been brought up before (http://torrentfreak.com/utorrent-vul...mote-exploits/ Feb. 2007), which again would realistically only occur with torrents specifically designed to exploit uTorrent, and really only a risk on public trackers. Yes?

[direwolf-pgh]

Quote:

Originally Posted by Five

anybody else experience this?

nope. I did upgrade (from a push prompt) the other day and all is well.
the problem kinda comes with the territory (buffer overflow exploit). plus, utorrent wants an open port & we are 'trusting each other blindly' sharing data packets. yep...thats a security issue - almost no matter what.

Quote:

The choice of programming language can have a profound effect on the occurrence of buffer overflows. As of 2008, among the most popular languages are C and its derivative, C++, with an enormous body of software having been written in these languages. C and C++ provide no built-in protection against accessing or overwriting data in any part of memory; more specifically, they do not check that data written to an array (the implementation of a buffer) is within the boundaries of that array. However, the standard C++ libraries provide many ways of safely buffering data, and technology to avoid buffer overflows also exists for C.

[xtraloveable]

I am using Utorrent 1.6.1(build 490) and haven't experienced any problems since using it....does this effect all older versions up to 1.8 ?

[waterman]

I must have upped and gotten rid of 1.8 a million times in 24 hours. Capped ul/dls, trackers off line, reconfiguring my firewall and anti virus thinking it was me, redling 1.7.7 a hundred times, having THAT go offline. What a pisser of a weekend. I work my ass off delivering 5 gallon water bottles all week (I didnt name myself that because my real name is Arthur Curry)and I have to deal with this. How utterly relaxing. I dled Bittorrent mainline,used that for an hour and was reminded why I ditched it a year ago, so now its back to 1.8 again. It seems to be working ok now. A forum on the net suggested a couple of things. That(A):Its buggier than a shithouse rat. This would make sense because its a new version and theyre trying it out on us. Like Joseph Mengeles might have. Let us howl with displeasure and theyll collect data and eventually fix it. Or(B) Its a "torrent cop" of sorts. Forced capping of ul/dl speeds. File sharing is a big fat buggaboo in the pudding of the MPAA and the music industry at large. What better way to end this kind of shit than to "restrict movement?" I know I'm kinda conspiracy theorizing, but it aint paranoia if theyre really after you, is it. I sort of suggested this on Etree, but it wasnt real well received. Actually, what I suggested was to google" Utorrent1.8 sucks". And guess what! The discussion was well underway.I guess I can use another client, but I kinda like the little lug. ARe there better clients? Guess time will tell. Cheers.

[direwolf-pgh]

Quote:

Originally Posted by waterman

...I know I'm kinda conspiracy theorizing, but it aint paranoia if theyre really after you, is it. I sort of suggested this on Etree, but it wasnt real well received.

link please

[mooncusser]

works fine for me. downloads and uploads working fine, just like the last version