Think your download history is safe if you use uTorrent? It turns out that’s not necessarily the case, as researchers have uncovered some nasty security bugs that could leave you and your computer vulnerable to hackers. BitTorrent was given 90 days to fix the security bugs in uTorrent, but it sounds like the holes may still be open.
Google Project Zero researcher Tavis Ormandy first identified the problems with uTorrent in November, but when BitTorrent didn’t seem to respond within the given time, Ormandy tweeted his concern in late January. The company pushed out a patch for the security bugs in the next beta version, but there seem to be conflicting reports about whether or not the patch actually fixes the security holes.
uTorrent is one of the most popular apps from BitTorrent, and it’s a client app that’s commonly used by those who want to download files, often without it being obvious what, exactly, they are downloading. The Project Zero team explains that two versions of the software have security holes that allow hackers to see and access files that users have downloaded, view their download histories, and even execute code on their systems.
Project Zero researchers say that the security holes allow any website users visit to gain control over major functionalities in both the Windows desktop app and the Web version of uTorrent. When users visit malicious sites, they could be open to attack from those very sites. Malicious websites can enter users’ systems through the security holes and then insert malicious code into their Windows startup folder, Ars Technica explains. That code will then run automatically the next time the computer reboots. Any site that the user has visited is able to see the files they downloaded and even access them.
BitTorrent management said on Tuesday that they fixed the bugs in the beta version of the uTorrent desktop app for windows, but those running the stable version of the app are still vulnerable. Those who want to move to the beta version immediately can download it here, although the company plans to push it out to all users in the next few days. BitTorrent also encourages users of the browser-based Web version to download the newest build here or through the notification that’s appearing inside the application.
The company advises all users to stop using both uTorrent versions until they move to the updated versions that don’t have the security bugs. After all users of uTorrent have downloaded the patches and aren’t at risk any longer, more details will be available from BitTorrent and Project Zero.
BitTorrent told TorrentFreak in a statement that it has sent the updated versions to Ormandy, who verified that the patches do indeed fix the vulnerabilities. However, Ormandy later tweeted that he was able to fix the exploit he originally used even with the patched version of uTorrent, so it’s unclear whether the issue is definitely fixed.
