An attacker behind a rogue website, Ormandy said, can exploit this client-side flaw by hiding commands inside web pages that interact with uTorrent’s RPC servers. Simply put, those JSON-RPC issues create a vulnerability in the desktop and web-based uTorrent clients, which both use a web interface to display website content. Ormandy said the vulnerabilities are easy to exploit and are tied to various JSON-RPC issues, or problems with how the web-based apps handle JavaScript Object Notations (JSON) as they relate to the company’s remote procedure call (RPC) servers. Project Zero gives vendors a 90-day window to patch a vulnerability before publicly disclosing it. Project Zero security researcher Tavis Ormandy published the research on Wednesday after waiting 90 days from the time it notified uTorrent of its discovery. According to researchers, the flaws allow a hacker to either plant malware on a user’s computer or view the user’s past download activity.
Google Project Zero researchers are warning of two critical remote code execution vulnerabilities in popular versions of BitTorrent’s web-based uTorrent Web client and its uTorrent Classic desktop client.
0 kommentar(er)
