Google researcher Tavis Ormandy recently detailed a host of DNS rebinding exploits in Windows versions of the uTorrent that lets attackers resolve web domains to the user’s computer, essentially giving the intruders the keys to the kingdom.
They could execute remote code, download malware to Windows’ startup folder (making it launch on the next reboot), grab downloaded files and look at your download history. The flaws touch on all unpatched versions, including uTorrent Web.
uTorrent is urging users to upgrade to the latest version of its file-sharing service after its client fell foul to server security flaws.
“All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user’s consent (e.g. adding a torrent),” said Dave Rees, BitTorrent’s vice president of engineering