PDA

View Full Version : Critical Vulnerability Discovered in uTorrent


U2Lynne
2008-08-12, 01:13 PM
A vulnerability described as ‘critical’ has been discovered in versions of uTorrent and the official BitTorrent client. The ‘buffer overflow’ vulnerability can be exploited to compromise a user’s computer for the execution of arbitrary code. It is suggested that users should immediately update to uTorrent version 1.8 RC7 or higher. There is currently no fix for the official client.

Read more... (http://torrentfreak.com/critical-vulnerability-discovered-in-utorrent-080812/)

uTorrent version 1.8 available here (http://utorrent.com/)

mooncusser
2008-08-12, 02:54 PM
interesting that my client is only prompting me to update to 1.8 RC6 (not 7). And it only does that if I enable updates to beta versions. I thought 1.8 is in stable release. :hmm:

Five
2008-08-13, 12:36 AM
looking over here:
http://www.filehippo.com/download_utorrent/

I notice that they're listing plain old "1.8" as being a higher version than 1.8 RC7

I downloaded "1.8" from filehippo and "1.8 (stable)" from the utorrent site and the checksums match, so seems like that is the most recent version at the moment

eaa865631b18d6c8ec5b34082f41c91a

thanks for the headsup

Chaosu
2008-08-13, 07:30 AM
Yup, stable is newer:
http://forum.utorrent.com/viewtopic.php?id=44003

U2Lynne
2008-08-13, 10:27 AM
RC means Release Candidate. So RC versions are versions they are hoping are stable enough to become the actual release, but aren't necessarily so. So yes, a stable 1.8 version is going to be 'better' that an RC version with the same version number.

thejoker
2008-08-14, 05:36 PM
Utorrent is real shit because my internet provider called my 3 times because i was hacking with PHP and i thought i had virus or something but when i formated my cumputer and i found something to download from the tradersden or dimeadozen i used Utorrent again and they called my again fro php attack but that time i had a fresh windows and no virus was there. That time i asked the time of the attack and it was when i was downloading with Utorrent and exactly when i closed it. so i just deleted it and get back the old bitornado i had no call since.

I don't trust utorrent anymore becarfull if you use it by now

Five
2008-08-15, 02:16 AM
anybody else experience this?

glens
2008-08-15, 04:17 AM
I have not experienced any issues with uTorrent since 1.5....but NOTE: uTorrent Admin cites "This latest exploit affects all unicode enabled versions prior to 1.8 RC7. (which is as early as 1.5, I believe)"

rspencer
2008-08-15, 08:39 PM
I've had constant "offline" status for trackers since "upgrading" yesterday. Downloads & uploads at a minimum. Not firewalled (at all, cut it off completely to see if that would help). Had no issues whatsoever before switching to 1.8.

krokodyle
2008-08-15, 09:26 PM
I do no plan on upgrading my uTorrent any further (I'm at 1.7.7), so I really hope it doesn't get banned. It's not like this exploit hasn't been brought up before (http://torrentfreak.com/utorrent-vulnerable-to-remote-exploits/ Feb. 2007), which again would realistically only occur with torrents specifically designed to exploit uTorrent, and really only a risk on public trackers. Yes?

direwolf-pgh
2008-08-16, 01:09 AM
anybody else experience this?nope. I did upgrade (from a push prompt) the other day and all is well.
the problem kinda comes with the territory (buffer overflow exploit). plus, utorrent wants an open port & we are 'trusting each other blindly' sharing data packets. yep...thats a security issue - almost no matter what.

The choice of programming language can have a profound effect on the occurrence of buffer overflows. As of 2008, among the most popular languages are C and its derivative, C++, with an enormous body of software having been written in these languages. C and C++ provide no built-in protection against accessing or overwriting data in any part of memory; more specifically, they do not check that data written to an array (the implementation of a buffer) is within the boundaries of that array. However, the standard C++ libraries provide many ways of safely buffering data, and technology to avoid buffer overflows also exists for C.

xtraloveable
2008-08-16, 09:27 AM
I am using Utorrent 1.6.1(build 490) and haven't experienced any problems since using it....does this effect all older versions up to 1.8 ?

waterman
2008-08-17, 08:28 PM
I must have upped and gotten rid of 1.8 a million times in 24 hours. Capped ul/dls, trackers off line, reconfiguring my firewall and anti virus thinking it was me, redling 1.7.7 a hundred times, having THAT go offline. What a pisser of a weekend. I work my ass off delivering 5 gallon water bottles all week (I didnt name myself that because my real name is Arthur Curry)and I have to deal with this. How utterly relaxing. I dled Bittorrent mainline,used that for an hour and was reminded why I ditched it a year ago, so now its back to 1.8 again. It seems to be working ok now. A forum on the net suggested a couple of things. That(A):Its buggier than a shithouse rat. This would make sense because its a new version and theyre trying it out on us. Like Joseph Mengeles might have. Let us howl with displeasure and theyll collect data and eventually fix it. Or(B) Its a "torrent cop" of sorts. Forced capping of ul/dl speeds. File sharing is a big fat buggaboo in the pudding of the MPAA and the music industry at large. What better way to end this kind of shit than to "restrict movement?" I know I'm kinda conspiracy theorizing, but it aint paranoia if theyre really after you, is it. I sort of suggested this on Etree, but it wasnt real well received. Actually, what I suggested was to google" Utorrent1.8 sucks". And guess what! The discussion was well underway.I guess I can use another client, but I kinda like the little lug. ARe there better clients? Guess time will tell. Cheers.

direwolf-pgh
2008-08-17, 08:34 PM
...I know I'm kinda conspiracy theorizing, but it aint paranoia if theyre really after you, is it. I sort of suggested this on Etree, but it wasnt real well received.link please

mooncusser
2008-08-17, 08:53 PM
:ah:


works fine for me. downloads and uploads working fine, just like the last version :coffee:

Robbie_B
2008-08-18, 10:49 AM
I am using Utorrent 1.6.1(build 490) and haven't experienced any problems since using it....does this effect all older versions up to 1.8 ?

I believe so yes. I have had troubles with utorrent crashing my wireless connection quite frequently,and when I closed the program I kept having ghostversions of utorrent running. The only way to remove them was pressing the power button on my HD.

I also have expirienced that utorrent recieves a tracker message from the TTD tracker saying "tracker sending invalid data null" on my uploads and shares,and still people have been able to download from me.
However TTD tracker is the only one which this happens to.

U2Lynne
2008-08-18, 10:59 AM
I also have expirienced that utorrent recieves a tracker message from the TTD tracker saying "tracker sending invalid data null" on my uploads and shares,and still people have been able to download from me.
However TTD tracker is the only one which this happens to.
That is a common message if you are seeding over your quota of ten shows or if you are seeding via DHT which bypasses the tracker.

waterman
2008-08-18, 12:57 PM
For Direwolf: I dont have a link per se. I just googled "Utorrent 1.8 sucks'' because thats how I felt at the time. Then I chose from the headings that suited the situation the best. There was a discussion going on at the time about the general displeasure of the upgrade and there was a cross section of folks who were having the same issues I was and some others who felt the upgrade worked the same as their old client. Mine seems ok now although it seems to take longer to get up the steam and the ul speed is lower than I'd like it. I guess Im kind of a dummy when it comes to configuring and such. But initally at least, 1.8 was a clusterfuck for my PC.

Robbie_B
2008-08-18, 02:02 PM
That is a common message if you are seeding over your quota of ten shows or if you are seeding via DHT which bypasses the tracker.

Thanks Lynn,I must have been sharing to many torrents at once I believe.

I installed the new utorrent 1.8 but it keeps crashing my connection.
Also every time I reboot my firewall (Norman) says there is a new version of utorrent which not have been used before,so I dont think utorrent have solved all the bugs in the new version.

I am giving Azereuz a go again,however I have problems with my upload speed on their latest version.

Any good suggestions out there for an alternative reliable client?

U2Lynne
2008-08-18, 02:09 PM
Any good suggestions out there for an alternative reliable client?I'm a mac user, so I can't really suggest anything. I've always suggested uTorrent for PC users since it was such a stable reliable client. I'm not sure what to recommend at the moment though. I use Azureus and am happy with it. If you are having issues with your upload speeds on Azureus, you might want to look through the settings tab and see if something is set incorrectly.

Robbie_B
2008-08-18, 02:18 PM
I'm a mac user, so I can't really suggest anything. I've always suggested uTorrent for PC users since it was such a stable reliable client. I'm not sure what to recommend at the moment though. I use Azureus and am happy with it. If you are having issues with your upload speeds on Azureus, you might want to look through the settings tab and see if something is set incorrectly.

Thanks,yes I was a happy user of Azeruze for quite some time,until one of their upgrades slowed down my upload speed drasticly,so I switched to utorrent which gave me a way better upload speed.

I'll have a go at trying to edit the Azereuz settings. Its a quite complicated set up on it,however its got the advantage to block certain IP's,in particular the bad sharers;-):nono:

jjbradley
2008-08-18, 03:56 PM
I'm a mac user, so I can't really suggest anything. I've always suggested uTorrent for PC users since it was such a stable reliable client. I'm not sure what to recommend at the moment though. I use Azureus and am happy with it. If you are having issues with your upload speeds on Azureus, you might want to look through the settings tab and see if something is set incorrectly.

Azureus has a strange problem on Vista. The listen on the UDP port fails, because the port is being used by another program. Not so. I haven't found any explanation.

firstrays123
2008-08-20, 02:07 PM
:ah:


works fine for me. downloads and uploads working fine, just like the last version :coffee:

same here

PunkyP
2008-08-22, 08:40 PM
Hi There,
Just to say on this U Torent Businss. Everytime I Get Prompted By My U Torrent To UPgrade To The New Version. When I start downlading the new U Torrent I immediately get a McAfee Virus Alert for the latest Virus Of The Week. Everytime it has happened never the same virus always a newer Virus. But when I download from C Net I have no trouble at all. It`s almost like someone is virusing the U Torrent site ????.

direwolf-pgh
2008-08-22, 10:09 PM
you should run a full scan punkyp.

I have noticed (and its on utorrent troubleshooting page) the disk cache can really suck up system memory - if seeding at heavy speeds.

if you goto prefs>advance>turn off disk read/write cache - the memory issue goes away.

maidencolorado
2008-08-22, 10:18 PM
if you goto prefs>advance>turn off disk read/write cache - the memory issue goes away.

Thanks for that

mooncusser
2008-08-22, 10:30 PM
hmmm, I wondered why I started getting virtual memory messages...

GeoZeppelin
2008-08-25, 10:09 AM
this is true i had to reformat my PC the antivirusxp2008 is hidden inside the utorrent i guess....coz when i installed utorrent thats when NOD discovered that i had a trojan

glens
2008-08-26, 03:57 AM
Hmm... a couple of bits about that, from the µTorrent forum..."For those with "HTTP 400" error or completely non-working RSS, that is a problem with NOD32. Please disable IMON or upgrade to 3.x........."
Now, I think allowing µTorrent under exclusion may also work...

open nod32 and select IMON and then SETUP

Select MESCELLANEOUS and then EDIT under the header EXCLUSION

Select ADD and select utorrent.exe file, the one you use to open the program and the select OPEN

Click Ok and then OK again

There is also available µTorrent 1.8.1 Beta Build 11903 (http://www.utorrent.com/download.php) (Selecting the "See list of changes" will get you the announcement page for the Beta)

glens
2008-08-26, 04:28 AM
Damn, Disregard my earlier post about builds 11903 and 11962.....
Download at your own discretion, but please research....

Behold, from the forum...

'#98 2008-08-24 23:24:00
Firon
Administrator Re: 1.8.1 beta (build 11962)11962 out.


#108 Yesterday 17:39:52
Firon
Administrator Re: 1.8.1 beta (build 11962)There's no exploits in the 1.8.1 beta. What there were was nasty bugs (not tracker/stats related) in 11903.

glens
2008-08-30, 09:19 PM
Build 12024 is up......testing it now....

--- 2008-08-29: Version 1.8.1 beta (build 12024)
- Change: reduce coalesce_write_size back to 2MB
- Fix: improved halfopen counting
- Fix: slow load with slow drives that are present

Blagnarok
2008-09-01, 02:49 PM
Utorrent only works for me with no problems if I keep my upload speed at 20 kb/s, which totally sucks because I'm seeding like 60 torrents all at 0.5 kb/s. If I make the upload speed more than 30kb/s, then my internet (firefox) starts to go REALLY slow, and my download speed drops dramatically.

I'm thinking of flashing new firmware to my linksys 54g wireless router. Hopefully that will take care of the new upload issue. I do not want to use a different client and have to reload all of the torrents I'm sharing. I seem to remember getting MUCH better upload speeds without this problem with the previous versions of uTorrent. My D/L speed is still pretty fast though (for a 3mb/s connection.)

jamroom
2008-09-01, 03:20 PM
No offence, but seeding 60 shows on a 3mb service is waaaaaay too many (even if many are inactive). Ten would be more than enough, less would be better. I believe some sites have a ten seed max (Dime?). Unless you have speed problems with only a few open - and actively seeding with no firewalled leechers.

Someone more experienced on here could comment further.

direwolf-pgh
2008-09-01, 03:34 PM
I'm seeding like 60 torrents all at 0.5 kb/s. lame. totally lame. that is not seeding.. dial up speed is 6kb/s. you are seeding at a rate less than a 1200 baud modem.

in many circles that is frowned upon..
http://wiki.dimeadozen.org/index.php/Toomanytorrents

U2Lynne
2008-09-01, 03:50 PM
You should not be seeding more than ten torrents at a time unless you have some super-duper incredible pipe, which a normal user does not have. TTD even limits you to seeding ten torrents max (and it sounds like maybe Dime does also?). Have you ever done a speed test to see what you max upload is? http://speedtest.net/

glens
2008-09-02, 09:19 AM
Sorry about the column aligment, but you get the idea....

Almost NO Cable line or ADSL line should be using upload speeds higher than 2 mbit/sec!

╔════════════════╦═══════════╦═══════════╦══════════╗
║CONNECTION TYPE ║ UPLOAD ║CONNECTIONS║MAX ACTIVE║
║(UPLOAD MAXIMUM)║Limit│Slots║ Torr│ MAX ║Torr│Down.║
╠════════════════╬═════╪═════╬═════╪═════╬════╪═════╣
║ DEFAULT ║ 20│ 3 ll 30│ 40 ║ 2│ 1║
║ Dial-up (28.8k) ║ 2│ 1 ║ 5│ 7 ║ 1│ 1║
║ Dial-up (56k) ║ 3│ 1 ║ 7│ 10 ║ 1│ 1║
║Single ISDN(64k) ║ 5│ 2 ║ 10│ 15 ║ 1│ 1║
║ Dual ISDN(128k) ║ 9│ 3 ║ 20│ 25 ║ 1│ 1║
║ 64 kbit/sec ║ 5│ 2 ║ 25│ 30 ║ 1│ 1║
║ 80 kbit/sec ║ 6│ 2 ║ 25│ 30 ║ 1│ 1║
║ 96 kbit/sec ║ 7│ 3 ║ 25│ 30 ║ 1│ 1║
║ 128 kbit/sec ║ 9│ 3 ║ 30│ 35 ║ 1│ 1║
║ 160 kbit/sec ║ 13│ 3 ║ 30│ 40 ║ 1│ 1║
║ 192 kbit/sec ║ 17│ 3 ║ 30│ 50 ║ 2│ 1║
║ 224 kbit/sec ║ 20│ 3 ║ 35│ 55 ║ 2│ 1║
║ 256 kbit/sec ║ 22│ 3 ║ 35│ 60 ║ 2│ 1║
║ 320 kbit/sec ║ 29│ 3 ║ 35│ 80 ║ 3│ 1║
║ 384 kbit/sec ║ 35│ 4 ║ 40│ 90 ║ 3│ 2║
║ 448 kbit/sec ║ 40│ 4 ║ 40│ 100 ║ 3│ 2║
║ 512 kbit/sec ║ 47│ 4 ║ 40│ 100 ║ 4│ 2║
║ 640 kbit/sec ║ 60│ 5 ║ 45│ 120 ║ 4│ 3║
║ 700 kbit/sec ll 65│ 5 ║ 45│ 140 ║ 5│ 3║
║ 768 kbit/sec ║ 72│ 5 ║ 50│ 150 ║ 5│ 4║
║ 800 kbit/sec ║ 75│ 5 ║ 50│ 160 ║ 6│ 4║
║ 900 kbit/sec ║ 82│ 5 ║ 55│ 180 ║ 6│ 4║
║ 1 mbit/sec ║ 92│ 6 ║ 60│ 200 ║ 7│ 5║
║ 1.5 mbit/sec ║ 140│ 7 ║ 80│ 250 ║ 8│ 6║
║ 2 mbit/sec ║ 186│ 8 ║ 100│ 300 ║ 10│ 8║
║ 5 mbit/sec ║ 560│ 10 ║ 100│ 400 ║ 15│ 10║
║ 10 mbit/sec ║ 1120│ 20 ║ 100│ 500 ║ 20│ 15║
║ 20 mbit/sec ║ 2240│ 25 ║ 125│ 600 ║ 25│ 20║
║ 40 mbit/sec ║ 4480│ 28 ║ 140│ 700 ║ 30│ 20║
║ 50 mbit/sec ║ 5600│ 30 ║ 150│ 800 ║ 40│ 25║
║ 100 mbit/sec ║11200│ 40 ║ 200│ 1000║ 100│ 30║
╚════════════════╩═════╧═════╩═════╧═════╩════╧═════╝
Caption:
Connection Type/ Upload Maximum = UPLOAD speed in kilobits/second OR megabits/second. NOT TO BE CONFUSED WITH DOWNLOAD SPEED MAX! A "10 megabit/sec" cable line has that speed only for download...upload speed is likely 1 megabit/sec OR LESS!
UPLOAD Limit = Max Upload Speed in KiloBYTES/second
Upload Slots = number of peers to upload to at once on EACH active Torrent.
Connections Torr = Maximum Connections allowed PER active Torrent
Connections MAX = Global Maximum Connections allowed
MAX ACTIVE Torr = Total Maximum Active Torrents (This is Downloading PLUS Seeding!)
MAX ACTIVE Down. = Total Maximum Downloading Torrents

glens
2008-09-02, 09:31 AM
SO, even with a 5 mbit/sec upload MAX, the maximum active torrent setting should be 15.....

LennonCobain
2008-09-14, 08:30 AM
Thanks for the info.

wetmouse
2008-09-18, 02:27 PM
Let's be clear: There is no critical flaw in 1.77. Not even one. Certain overzealous rationazis have fallen in love with 1.8+ because a new crippleware feature introduced in it. 1.77 is the way to go. If I have to decide between upgrading it or leaving a site, it's not really a choice. Torrent sites are a dime a dozen but there is only one uTorrent 1.77... I will never upgrade.
Ever.

terrapintracker11
2008-11-04, 12:48 PM
version 1.8.1 according to threads elsewhere and at utorrent.com states that issue has been resolved. i use AVG Internet Security and if there was an issue with the latest version that would find it in a heartbeat. just my 2 cents:)

Jerm
2008-11-04, 01:18 PM
Let's be clear: There is no critical flaw in 1.77. Not even one. Certain overzealous rationazis have fallen in love with 1.8+ because a new crippleware feature introduced in it. 1.77 is the way to go. If I have to decide between upgrading it or leaving a site, it's not really a choice. Torrent sites are a dime a dozen but there is only one uTorrent 1.77... I will never upgrade.
Ever.


Yeah...from the looks of it you are almost as far as you can get from being a ratio-nazi :lol4:

AAR.oner
2008-11-06, 06:55 AM
Let's be clear: There is no critical flaw in 1.77. Not even one. Certain overzealous rationazis have fallen in love with 1.8+ because a new crippleware feature introduced in it. 1.77 is the way to go. If I have to decide between upgrading it or leaving a site, it's not really a choice. Torrent sites are a dime a dozen but there is only one uTorrent 1.77... I will never upgrade.
Ever.

you might never upgrade, but rest assured you will never be a respected member of a trading community either -- considering how much you've leeched from our site alone, the fact that you've offered up no B&Ps/vines/freebies to make up for you leeching so much, and then you post in here flaunting it

wanker :rolleyes:

Rick4u
2008-11-20, 08:00 PM
I have been using Azureus (now called Vuze) and have great connection speeds
up speeds at 125 kB/s
down speeds at 800+ kB/s
If you tweak the settings...it works great without all the crap you guys are posting about with utorrent.. and it uses minimal system resources
just my 2 cents :D

timber_jerry
2009-02-13, 02:58 PM
SO, even with a 5 mbit/sec upload MAX, the maximum active torrent setting should be 15.....

anyone have an answer on this one?? i did the Utorrent upgrade monday night i think, and ever since then my utorrent has been down 100%. Nothing going up, nothing coming down! the green check comes on for about 6-7mins then goes away. before the upgrade i was uping 82 seprate seeds at between 40kb's & 80kb's each with no problem for over a month! i checked with my internet provider and they said my speed rate should be between 10 mbit & 12mbit so that's why i could upload so much at once (or so i thought)

but what i'm hearing here is that regardless i should only have 15 torrents open max for up or down, ever??

Black Dog
2009-02-13, 03:16 PM
try this

http://www.speedtest.net/