Fix uTorrent JSON-RPC and remote code execution security issue

0
484
views
utorrent logo

All users who use this client are strongly advised to take measures.

What the issue is about:

If you have WebUI enabled, attackers can gain access to pretty much any location within your computer, download or upload files and execute them.

Apart from that, attackers can exploit uTorrent’s RPC feature, which is enabled by default, to access you uTorrent data, including your torrent files and passkeys.

The detailed description of this bug can be found here.

How to protect yourself:

If you’re using uTorrent 3.x, then upgrade immediately to the newest version. The issue has been (somewhat?) fixed in version 3.5.3.

If you’re on 2.x, disable both WebUI and advanced setting “net.discoverable”. Here is a quick guide on how to do that:

utorrent fix
If you don’t see “net.discoverable” setting, then you must be using an earlier version, and should be ok.

utorrent fix

Alternatively, consider switching to another client — qBittorrent, Transmission or Deluge are (apparently) good options.

Mind you there is no need to panic over this. I personally still use μTorrent 2.2.1 and feel completely relaxed over this after disabling the above mentioned features.

I’d like to thank the guys over at JPopsuki for pointing this issue out. Stay safe :)!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.