uTorrent security history?

[aaaaaaaaah]

OK, yes, I guess I could read it all from the "whats new" section on each new version, but forgive me from being a bit lazy. Im just wondering, how many and how severe security holes has uTorrent had? I would guess that very few, since it seems to be carefully programmed and it is small (smaller the program, less possible holes I presume). Could someone please enlighten me up?

[Firon]

None to date.

[aaaaaaaaah]

Are you serious? ) WOW!

[Firon]

I don't really think any torrent client has yet.

[aaaaaaaaah]

I don't really think any torrent client has yet.

Azureus atleast has, well, they are related to java ofcourse (=Java security holes).

OK, maybe bittorrent clients are immune to security holes but I doubt. I mean, they DO have to have some ports opened (if you want to upload too)...maybe some buffer overruns? System/admin level access? Backdoors for full-disk access to anyone who drops "the magic byte" to the client port?

BTW. Why keep uTorrent closed-source? I mean, you dont get any money from it anyway. Opensource is...better.

[Firon]

Well, it's probably possible they have some kind of exploit, but no one's really discovered anything yet.

There's been lots of discussions about why it's closed source and whatnot, and it's because ludde has absolutely no reason to make it open source. There's no compelling argument for him except to satisfy the FLOSS people.

He's fine being the only dev right now and doesn't want anyone else developing it. He doesn't want forks or people to change/add stuff that he doesn't want in the client, or make unofficial versions/patches/whatever. But he's not completely against the idea of open source (see ScummVM): he does say that if at any point he can no longer develop it or whatever, it's likely he'll make it open source.

[splintax]

Haven't seen any exploits in torrent clients yet myself. :/ I guess the fact that pretty much everything has to be initiated by the user means that there are limited security risks...

[aaaaaaaaah]

I guess the fact that pretty much everything has to be initiated by the user means that there are limited security risks...

Well, having a port open and receiving something is always a possible security risk. For both torrent client software as well as Windows itself. Also, somehow "malformed" torrents could be a security risk (somehow).

[splintax]

The only way I could see this happening if through some horrible coding error a malformed packet could trick µTorrent into executing code within it. :/

As far as malformed .torrents, I can't think of any way these could be "exploited", except for somehow containing bad hash data or tracker info, which probably isn't an security risk but a weakness making it easier to poison torrents.

[Inf]

You can never be 100% sure there is absolutely no possible places to exploit in utorrent. Some minimal checklist would be looking for a possibility of causing buffer/stack overflows in .torrent parser, in peer communication handling (especially incoming) and tracker communication handling.

Another thing programmer may forget about is a possibility of buffer overflow in GUI. etc etc etc

Nothing is 100% secure, if you wanna be almoust 100% secure just cut the network connection off