uTorrent silently patches critical vulnerability

Code execution hole in uTorrentIf uTorrent is the client you use to download files, now might be a good time to hit that “check for updates” button.

According to security alerts aggregator Secunia, there’s a “highly critical” uTorrent vulnerability that could allow remote code execution attacks with rigged .torrent files.

From the advisory:

  • The vulnerability is caused due to a boundary error in the processing of “.torrent” files. This can be exploited to cause a stack-based buffer overflow by tricking the user into opening a “.torrent” file containing an overly long “created by” field.
  • Successful exploitation may allow execution of arbitrary code.
  • The vulnerability is confirmed in version 1.7.7 (build 8179). Prior versions may also be affected.

The issue was silently patched by the vendor in version 1.8 RC7. Rhys Kidd says the flaw is at least two years old.

[Source: zdnet]