2Likes
LinkBack URL
About LinkBacksThe BitTorrent Engineering Blog
Notes from the front lines of BitTorrent innovation
HTTP/RPC Security Vulnerabilities Resolved in uTorrent, BitTorrent and uTorrent Web.
A fix for multiple vulnerabilities affecting all uTorrent, BitTorrent and uTorrent Web Windows users is now available for immediate download at the links below. We must stress that while this is a vulnerability that can be exploited to trigger unauthorized downloads to take place, BitTorrent Inc. is not aware of any incidents related to these vulnerabilities. As always, we highly encourage all of our customers to stay up to date. Android and Mac users are not affected by the reported vulnerabilities.
Download the latest builds:
uTorrent Stable 3.5.3.44358
Bittorrent Stable 7.10.3.44359
uTorrent Beta 3.5.3.44352
uTorrent Web 0.12.0.502
The team began rolling out the update to beta uTorrent Windows users via the auto update mechanism on Feb 16, 2018. As of today, Feb 22, 2018, the rollout for beta users has concluded and the stable rollout has started. Included in the latest builds are fixes to the way uTorrent and uTorrent Web authenticate WebUI requests and generate session and authentication tokens. In addition to this, the updates clamp down on guest account access limits and enforce more checks on potentially malicious HTTP headers sent to the client.
Customers and developers of 3rd-party applications that rely on the default-open state of port 10000 should be aware that moving forward, clients will no longer be discoverable over port 10000. Pairing negotiation is now only allowed over a mutually agreed upon port. Customers can set this port manually by enabling WebUI functionality via Advanced->WebUI-> Enable Web UI and then specifying a port under the Connectivity section.
WebUISettings
uTorrent 3.5.3 For Windows (build 44358)
February 22, 2018
– Use proper device pairing password when updating device info graphic
– Point Remote “Learn More” link to better URL
– Disable localhost/search lookup when making searches. Do not rely on the localhost port-10k discoverability
– Use a CRNG as a WebUI token source
– Require device/service pairing or standard webui authentication for the /proxy endpoint
– Sanity check Host header on HTTP requests
– Remove automatic discoverability feature over port 10000. The setting net.discoverable no longer exists.
– WebUI action getsettings is only allowed for fully authenticated user (not guest)
– Fix crash when sending malformed requests to /fileserve
– Fix forced re-install mode when same version is already installed
– Set uninstaller prompt dialog title
– Remove Nexway cart URLs
– License key information is no longer exposed via WebUI
Torrent Invites! Buy, Trade, Sell Or Find Free Invites, For EVERY Private Tracker! HDBits.org, BTN, PTP, MTV, Empornium, Orpheus, Bibliotik, RED, IPT, TL, PHD etc!
Results 1 to 1 of 1
Thread: Classix-Unlimited News
-
02-24-2018 #1Extreme User
- Reputation Points
- 64095
- Reputation Power
- 100
- Join Date
- Aug 2016
- Posts
- 11,086
- Time Online
- 84 d 2 h 2 m
- Avg. Time Online
- 42 m
- Mentioned
- 579 Post(s)
- Quoted
- 41 Post(s)
- Liked
- 4504 times
- Feedbacks
- 1 (100%)
Classix-Unlimited News
Reply With QuoteLinkBacks (?)
-
Classix-Unlimited News
Refback This thread02-24-2018, 08:31 PM -
Classix-Unlimited News
Refback This thread02-24-2018, 07:50 PM
