The issue was reported to BitTorrent in November, but as the security researchers predicted, the parent company failed to release a patch in its 90-day window, so security staff posted the details of the vulnerability on the Internet this week.
The vulnerability exists in the Web interface, allowing users to remotely control BitTorrent clients, which, if exploited, could allow an attacker to control a vulnerable computer. However, the software developer said it has a patch ready and that the patch is part of the latest beta, which is expected to move to a stable channel as soon as this week, according to a report by TorrentFreak.
However, the patch that is shared with Ormandy only covers the original vulnerability and does not completely address the vulnerability. It looks like BitTorrent just added a second token to uTorrent Web. This does not solve the DNS rebind problem. At this time, BitTorrent does not provide an updated statement to share how and when it plans to release a new patch.
Source: arstechnica
