Google’s Project Zero has uncovered a “critical flaw” in the Transmission BitTorrent app that could give cybercrooks complete control of users’ computers.
According to Project Zero, the client is vulnerable to a DNS re-binding attack that effectively tricks the PC into accepting requests via port 9091 from malicious websites that it would (and should) ordinarily ignore.
The flaw could enable attackers to execute all kinds of attacks, including remote code execution, and works in both Chrome and Firefox on Windows and Linux PCs. Other browsers will almost certainly be vulnerable too.
Publicising details of the attack appears to have done the trick of forcing the developers to rush out a patch, but this has not been applied in all the software that uses the Transmission protocol, Ormandy warned.
Transmission is one of a number of BitTorrent peer-to-peer file sharing clients.
Rather than a centralised hub-and-spoke system for distributing files and data, shared files are decentralised, but publicised via the software that utilises the protocol. If anyone in the network wants a file, it is downloaded in ‘pieces’ from the source or sources.
Submitted by: Arnfried Walbrecht