Firon Posted August 25, 2010 Report Share Posted August 25, 2010 There is a DLL vulnerability in all versions of Windows affecting a great deal of software applications. Subsequently, attack code targeting the μTorrent client surfaced on a third-party website, and while so far no attacks have been reported to us, we have released μTorrent 2.0.4 to fix this vulnerability. The new client disables loading of DLLs from the current working directory and prevents this exploit from functioning. More information about the exploit can be found here: http://www.reuters.com/article/idUS2168761020100825We take our user's security very seriously, and we sincerely apologize for any inconvenience.Release notes:Fix reported DLL exploitDownload it now!-- 2010-10-07: Version 2.0.4 (build 22450)- Fix: uTP EACK vulnerability-- 2010-09-24: Version 2.0.4 (build 22150)- Fix: uTP ack-timer wrapping issue- Fix: transfer cap doesn't update unless uTorrent is running-- 2010-08-28: Version 2.0.4 (build 21586)- Fix: tracker retry interval bug-- 2010-08-26: Version 2.0.4 (build 21515)- Fix: make survey links never show up on XP- Fix: started and stopped events now correctly sent to torrents with multiple tracker tiers.-- 2010-08-25: Version 2.0.4 (build 21431)- Fix: fixed DLL hijack exploit- Change: add bold text for Ask toolbar offer- Fix: added groupbox in bandwidth settings- Fix: Fixed size of static text in transfer cap setting pane to be translatable- Fix: Fixed peer exchange exploit- Fix: Safari 5 compatibility for WebUI- Fix: WebUI security improvements Link to comment Share on other sites More sharing options...
moogly Posted August 26, 2010 Report Share Posted August 26, 2010 Is the automatic update immediate? Or in few days as usual? Link to comment Share on other sites More sharing options...
Firon Posted August 26, 2010 Author Report Share Posted August 26, 2010 We will autoupdate either later tonight or tomorrow morning. We skipped the beta process for this release because this is more or less the same code that was in BTML 7.0, which has been out for a while now. Link to comment Share on other sites More sharing options...
sbbz2004 Posted August 26, 2010 Report Share Posted August 26, 2010 I'll update to the latest version right now. Link to comment Share on other sites More sharing options...
rafi Posted August 26, 2010 Report Share Posted August 26, 2010 I'm disappointed to see that you did publish 2.04, yet, didn't take this opportunity to back-port and include most desired and promised functional fixes you did on 2.2 in it. Even small things that were talked about pre 2.2, like the cancellation of double add-torrent dialog-control and such.I suggest you review those changes and put them in as well. there is still time ! Link to comment Share on other sites More sharing options...
Firon Posted August 26, 2010 Author Report Share Posted August 26, 2010 No, we are not backporting anything. 2.2 is slated as the next stable, so the 2.0.x line will get nothing but critical fixes. There will probably not be any more releases of 2.0.x, barring some huge problem coming up within the next month and a half or so. Link to comment Share on other sites More sharing options...
rafi Posted August 26, 2010 Report Share Posted August 26, 2010 I see...- Change: add bold text for Ask toolbar offer- Fix: added groupbox in bandwidth settings- Fix: Fixed size of static text in transfer cap setting pane to be translatable- Fix: Safari 5 compatibility for WebUIVERY critical indeed.. I am aware of the logic behind it, but hey, what am I asking for ? -- 2010-08-10: Version 2.2 Beta (build 21090)- Change: remove the "always show add dialog" and merge its functionality with the "show add dialog"Fix something that was screwed up in the first place, and is already fixed. A bit of flexibility will not kill you guys... Link to comment Share on other sites More sharing options...
Sunstep Posted August 26, 2010 Report Share Posted August 26, 2010 Uploaded with ImageShack.us Link to comment Share on other sites More sharing options...
Firon Posted August 26, 2010 Author Report Share Posted August 26, 2010 The survey problem isn't new to 2.0.4. It seems like we neglected to backport the fix for that, so I'll be doing a re-release of 2.0.4 later (and autoupdate it while I'm at it). Link to comment Share on other sites More sharing options...
paintball9 Posted August 26, 2010 Report Share Posted August 26, 2010 Will 2.2 and 3.0 be receiving the DLL fix in the near future as well? Link to comment Share on other sites More sharing options...
Firon Posted August 27, 2010 Author Report Share Posted August 27, 2010 Yes, the next releases will have the fix, as will today's release of BitTorrent 7.0. Link to comment Share on other sites More sharing options...
Firon Posted August 27, 2010 Author Report Share Posted August 27, 2010 New release of 2.0.4 up + autoupdate enabled. Link to comment Share on other sites More sharing options...
saintsoh Posted August 27, 2010 Report Share Posted August 27, 2010 i noticed a tracker(bakabt.com) don't allow this 2.0.4 ut client to dl but allow earlier versions.wat can be the reason? Link to comment Share on other sites More sharing options...
acmodeu Posted August 27, 2010 Report Share Posted August 27, 2010 It means that this version is not in the list of the allowed clients on the tracker. Wait until owners update it. Link to comment Share on other sites More sharing options...
rafi Posted August 27, 2010 Report Share Posted August 27, 2010 Will the "Help file not working " issue require another update ? Link to comment Share on other sites More sharing options...
Firon Posted August 27, 2010 Author Report Share Posted August 27, 2010 You should tell tracker admins that it is important to allow this release as quickly as possible.Will the "Help file not working " issue require another update ?No. It's already been fixed. Link to comment Share on other sites More sharing options...
Southrop Posted August 27, 2010 Report Share Posted August 27, 2010 i noticed a tracker(bakabt.com) don't allow this 2.0.4 ut client to dl but allow earlier versions.wat can be the reason?Southrop from BakaBT here to give you an update.We simply hadn't updated our whitelist at the time. 2.0.4 has been whitelisted for a few hours now. We will probably remove older versions from the whitelist in the near future to ensure the safety of our users.Thanks to the uTorrent Dev Team for rolling out an update for the security issue so quickly!You should tell tracker admins that it is important to allow this release as quickly as possible.I'm in agreement with this opinion. I've been personally posting in trackers that I don't regularly use to petition for 2.0.4 to be whitelisted. Link to comment Share on other sites More sharing options...
znx Posted August 28, 2010 Report Share Posted August 28, 2010 Firon, just sent you an email about this > contal...@hotm Link to comment Share on other sites More sharing options...
gazzyk1ns Posted August 28, 2010 Report Share Posted August 28, 2010 Thanks for the continued updates to the 2.0.x branch, it's appreciated - I felt the need to say that after registering almost solely to moan about the 2.2 branch. It's quite reassuring, after I was getting a bit worried about the future of µTorrent development. Link to comment Share on other sites More sharing options...
Firon Posted August 28, 2010 Author Report Share Posted August 28, 2010 Well, 2.0.x is probably not going to have any more releases, barring some exceptional case. Link to comment Share on other sites More sharing options...
rafi Posted August 28, 2010 Report Share Posted August 28, 2010 maybe 2.04 is a good opportunity to 're-use' the good old notification thread that is forgotten since 1.8.5 ... http://forum.utorrent.com/viewtopic.php?pid=434359#p434359 Link to comment Share on other sites More sharing options...
saintsoh Posted August 28, 2010 Report Share Posted August 28, 2010 global ul limiting not working.i've low 256kb/s upload n set limit to 10kB/s, ul went as high as 40kB/s. Link to comment Share on other sites More sharing options...
saintsoh Posted August 28, 2010 Report Share Posted August 28, 2010 i noticed a tracker(bakabt.com) don't allow this 2.0.4 ut client to dl but allow earlier versions.wat can be the reason?Southrop from BakaBT here to give you an update.We simply hadn't updated our whitelist at the time. 2.0.4 has been whitelisted for a few hours now. We will probably remove older versions from the whitelist in the near future to ensure the safety of our users.Thanks to the uTorrent Dev Team for rolling out an update for the security issue so quickly!You should tell tracker admins that it is important to allow this release as quickly as possible.I'm in agreement with this opinion. I've been personally posting in trackers that I don't regularly use to petition for 2.0.4 to be whitelisted.thanks for the update, pls don't wipe out the old versions from your whitelist until 2.0.x is as stable as 1.8.5. Link to comment Share on other sites More sharing options...
DreadWingKnight Posted August 28, 2010 Report Share Posted August 28, 2010 thanks for the update, pls don't wipe out the old versions from your whitelist until 2.0.x is as stable as 1.8.5.So you want to encourage users to remain vulnerable to the exploit that 2.0.4 fixes?We really don't want to encourage that. Link to comment Share on other sites More sharing options...
saintsoh Posted August 28, 2010 Report Share Posted August 28, 2010 thanks for the update, pls don't wipe out the old versions from your whitelist until 2.0.x is as stable as 1.8.5.So you want to encourage users to remain vulnerable to the exploit that 2.0.4 fixes?We really don't want to encourage that.not every hackers know how2exploit dll.u can't tell it is 100% secure even it is safe guarded.every users want is a stable client even it is an old version.simply say why most r still using xp not upgrading to win7 because it is stable. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.