Google's Project Zero has been busy uncovering vulnerabilities in a wide range of products and services, most notably rooting out CPU flaws that became known as Spectre and Meltdown. While mitigations are still ongoing, Project Zero continues to look for security issues across the board. The latest one that Project Zero found is a remote code execution vulnerability that exists in uTorrent.
The vulnerability exists in both the downloadable desktop client for Windows and the new uTorrent Web service that runs in a browser window and allows users to stream torrents from it. Project Zero points out that by default, the web version is configured to run at startup with Windows, so it's always running and accessible.
Here is a basket of uTorrent DNS rebinding vulnerabilities that are now fixed, from remote code execution to querying and copying downloaded files, and more. https://t.co/JEvhq1IHGJ— Tavis Ormandy (@taviso) February 20, 2018
The vulnerabilities, which are apparently easy to exploit, could allow a rogue website to control uTorrent (both the desktop client and web app). In doing so, an attacker could force a user to unwittingly download malicious software to their PC's startup folder, and it would automatically run the next time his or her system boots. Rogue sites could also peek into a user's download history and see what files have been downloaded.
Multiple sites report that uTorrent has update its desktop application to address the issue, and that versions 188.8.131.52352 and above are not affected. If you are using a previous version, check for an update, either through the application itself or by downloading a new client.