Google security researcher Tavis Ormandy has discovered a vulnerability in µTorrent that allows an attacker to take over the computer. The vulnerability exists in both µTorrent Classic, the Windows desktop version, as in uTorrent Web, the browser based version of the torrent download application.
Attackers who exploit the vulnerability are able to remotely execute random code on the victim's computer. This way the attacker is able to e.g. install malware. Besides that, the vulnerability also allows an attacker to view downloaded files and the download history of the victim.
The issue is especially alarming because it takes nothing more than visiting a malicious website to become a victim to the attack.
Bittorrent Inc, the developer of the software, has released a version to its beta-testers that should fix the vulnerability. This version should later become available to everyone.
Nevertheless, Ormandy today tweeted the issue still exists. Although the beta version blocks Ormandy's method, it still works after some changes, according to Ormandy. Until the issue is properly resolved, it's advisable to not use µTorrent.
