Vulnerability Found Exploitable in UTorrent
IT security experts said the latest AuTorrent BitTorrent client server is vulnerable to exploits in the client server's latest version.
UTorrent is a client of BitTorrent. A 'client' here implies to software that complies with a protocol's rules. For instance, HTTP (Hyper Text Transfer Protocol) - a protocol required for downloading webpages and other web content, while the HTTP client is program that helps in getting those WebPages. Some popular Internet browsers such as MS Internet Explorer, Safari, Mozilla Firefox, and Opera follow the same procedure therefore they function in the same fashion.
By tampering a torrent file, attackers can cause a buffer overflow in this version of the BitTorrent client uTorrent. If a user opens a tampered torrent file, it can allow an attacker to inject and run an arbitrary code.
UTorrent files are likely to have 'announce' fields. An entry with longer than 4800 bytes can cause buffer overflows inside the uTorrent. A program that demonstrates the vulnerability within Windows 2000 and Windows XP with Service Pack 1 is now available on the archives of the milworm exploit.
Till now only AuTorrent 1.6 build 474 is affected, but there are chances of older versions also to have the bug. A new version to repair the problem is yet to appear.
Experts warn users of the well-known AuTorrent BitTorrent client server to not download torrent trackers from unrecognizable sources or simply turn to a different BitTorrent client server like 'Azureus'.
While publishing the remote exploit, Defaced Security has also provided the data pointing out that the exploit is valid only on Windows 2000 and XP.
An update of the uTorrent BitTorrent client server in version 1.6.1 build 488 STABLE was released on February 14, 2007. This is particularly noteworthy in the backdrop that the previous stable releases, according to news of February 13, 2007, were susceptible to hackers' attacks.
The latest release covers these concerns. It also carries two more features viz., a new encryption box, joined to the speed guide, and the facility to choose the download or upload speed relating to a torrent tracker.
Related article: Vulnerabilities in Web Applications Invite Hackers’ Activities
» SPAMfighter News - 27-02-2007