|
|
是因为这个吗?
2018.02.24 - 关于最近发现的uTorrent的漏洞 | About the vulnerability found in uTorrent recently
https://bugs.chromium.org/p/project-zero/issues/detail?id=1524
简而言之, 如果被利用:
开了Web UI的情况下: 攻击者可能使你的ut崩溃, 也可以任意添加任务, 并下载可执行的代码到系统任何位置. 由于系统部分目录有一定的自动执行机制, 很容易形成任意代码执行, 进而完全控制系统
没开的情况下: 攻击者可以从你这里下载你下载的任何文件
但无论如何,ut 3.x系列只有弃用才能完全避免漏洞。u2从现在起终止支持ut 3.0-3.5.1版本,用户可以选择降级至2.2.1或更低版本/使用qBittorrent或transmission等其他客户端
ut 1.8.5-2.2.1不能直接按3.x的方式利用,但暂未证明对该漏洞免疫。如果出现相关利用,其支持可能会随时被终止。
Bittorrent Inc.推出了新版本3.5.3试图修复,但仍然可以利用。管理组将等待完全修复后的第一个稳定版并添加支持
如果你正在使用ut 1.8.5-2.2.1:
1. 请关闭Web UI功能
2. 请关闭高级选项中的net.discoverable选项(默认开启)
-----------------------------------------------------------------------------------------
https://bugs.chromium.org/p/project-zero/issues/detail?id=1524
uTorrent 3.0-3.5.1 will not be supported anymore due to the vulnerability found in the link above.
This vulnerability allows remote code execution (if you opened Web UI), or download everything you downloaded from you (if you didn't open Web UI)
Nothing except stop using it could prevent an attacker from using it.
We suggest users take uT 2.2.1 or qBittorrent/Transmisstion instead.
For uT 1.8.5-2.2.1, part of the features which contains the vulnerability exists. So we may remove the support of them in the future, if it turns out an attacker could use the vulnerability in another way in 1.8.5-2.2.1.
uTorrent 3.5.3 is a failed patch version, and the staff are waiting for a new stable version which fully fixes the vulnerability. Once found, we shall add support to it.
Please notice that, if you are using uT 1.8.5-2.2.1 currently:
1. Please turn off Web UI
2. Please turn off net.discoverable in advanced setting. This was set to true by default.
|
评分
-
查看全部评分
|
