Firon 3 Report post Posted August 25, 2010 There is a DLL vulnerability in all versions of Windows affecting a great deal of software applications. Subsequently, attack code targeting the μTorrent client surfaced on a third-party website, and while so far no attacks have been reported to us, we have released μTorrent 2.0.4 to fix this vulnerability. The new client disables loading of DLLs from the current working directory and prevents this exploit from functioning. More information about the exploit can be found here: http://www.reuters.com/article/idUS2168761020100825We take our user's security very seriously, and we sincerely apologize for any inconvenience.Release notes:Fix reported DLL exploitDownload it now!-- 2010-10-07: Version 2.0.4 (build 22450)- Fix: uTP EACK vulnerability-- 2010-09-24: Version 2.0.4 (build 22150)- Fix: uTP ack-timer wrapping issue- Fix: transfer cap doesn't update unless uTorrent is running-- 2010-08-28: Version 2.0.4 (build 21586)- Fix: tracker retry interval bug-- 2010-08-26: Version 2.0.4 (build 21515)- Fix: make survey links never show up on XP- Fix: started and stopped events now correctly sent to torrents with multiple tracker tiers.-- 2010-08-25: Version 2.0.4 (build 21431)- Fix: fixed DLL hijack exploit- Change: add bold text for Ask toolbar offer- Fix: added groupbox in bandwidth settings- Fix: Fixed size of static text in transfer cap setting pane to be translatable- Fix: Fixed peer exchange exploit- Fix: Safari 5 compatibility for WebUI- Fix: WebUI security improvements Share this post Link to post Share on other sites
moogly 0 Report post Posted August 26, 2010 Is the automatic update immediate? Or in few days as usual? Share this post Link to post Share on other sites
Firon 3 Report post Posted August 26, 2010 We will autoupdate either later tonight or tomorrow morning. We skipped the beta process for this release because this is more or less the same code that was in BTML 7.0, which has been out for a while now. Share this post Link to post Share on other sites
sbbz2004 0 Report post Posted August 26, 2010 I'll update to the latest version right now. Share this post Link to post Share on other sites
rafi 194 Report post Posted August 26, 2010 I'm disappointed to see that you did publish 2.04, yet, didn't take this opportunity to back-port and include most desired and promised functional fixes you did on 2.2 in it. Even small things that were talked about pre 2.2, like the cancellation of double add-torrent dialog-control and such.I suggest you review those changes and put them in as well. there is still time ! Share this post Link to post Share on other sites
Firon 3 Report post Posted August 26, 2010 No, we are not backporting anything. 2.2 is slated as the next stable, so the 2.0.x line will get nothing but critical fixes. There will probably not be any more releases of 2.0.x, barring some huge problem coming up within the next month and a half or so. Share this post Link to post Share on other sites
rafi 194 Report post Posted August 26, 2010 I see...- Change: add bold text for Ask toolbar offer- Fix: added groupbox in bandwidth settings- Fix: Fixed size of static text in transfer cap setting pane to be translatable- Fix: Safari 5 compatibility for WebUIVERY critical indeed.. I am aware of the logic behind it, but hey, what am I asking for ? -- 2010-08-10: Version 2.2 Beta (build 21090)- Change: remove the "always show add dialog" and merge its functionality with the "show add dialog"Fix something that was screwed up in the first place, and is already fixed. A bit of flexibility will not kill you guys... Share this post Link to post Share on other sites
Sunstep 0 Report post Posted August 26, 2010 Uploaded with ImageShack.us Share this post Link to post Share on other sites
Firon 3 Report post Posted August 26, 2010 The survey problem isn't new to 2.0.4. It seems like we neglected to backport the fix for that, so I'll be doing a re-release of 2.0.4 later (and autoupdate it while I'm at it). Share this post Link to post Share on other sites
paintball9 0 Report post Posted August 26, 2010 Will 2.2 and 3.0 be receiving the DLL fix in the near future as well? Share this post Link to post Share on other sites
Firon 3 Report post Posted August 27, 2010 Yes, the next releases will have the fix, as will today's release of BitTorrent 7.0. Share this post Link to post Share on other sites
Firon 3 Report post Posted August 27, 2010 New release of 2.0.4 up + autoupdate enabled. Share this post Link to post Share on other sites
saintsoh 0 Report post Posted August 27, 2010 i noticed a tracker(bakabt.com) don't allow this 2.0.4 ut client to dl but allow earlier versions.wat can be the reason? Share this post Link to post Share on other sites
acmodeu 0 Report post Posted August 27, 2010 It means that this version is not in the list of the allowed clients on the tracker. Wait until owners update it. Share this post Link to post Share on other sites
rafi 194 Report post Posted August 27, 2010 Will the "Help file not working " issue require another update ? Share this post Link to post Share on other sites
Firon 3 Report post Posted August 27, 2010 You should tell tracker admins that it is important to allow this release as quickly as possible.Will the "Help file not working " issue require another update ?No. It's already been fixed. Share this post Link to post Share on other sites
Southrop 0 Report post Posted August 27, 2010 i noticed a tracker(bakabt.com) don't allow this 2.0.4 ut client to dl but allow earlier versions.wat can be the reason?Southrop from BakaBT here to give you an update.We simply hadn't updated our whitelist at the time. 2.0.4 has been whitelisted for a few hours now. We will probably remove older versions from the whitelist in the near future to ensure the safety of our users.Thanks to the uTorrent Dev Team for rolling out an update for the security issue so quickly!You should tell tracker admins that it is important to allow this release as quickly as possible.I'm in agreement with this opinion. I've been personally posting in trackers that I don't regularly use to petition for 2.0.4 to be whitelisted. Share this post Link to post Share on other sites
znx 0 Report post Posted August 28, 2010 Firon, just sent you an email about this > contal...@hotm Share this post Link to post Share on other sites
gazzyk1ns 0 Report post Posted August 28, 2010 Thanks for the continued updates to the 2.0.x branch, it's appreciated - I felt the need to say that after registering almost solely to moan about the 2.2 branch. It's quite reassuring, after I was getting a bit worried about the future of µTorrent development. Share this post Link to post Share on other sites
Firon 3 Report post Posted August 28, 2010 Well, 2.0.x is probably not going to have any more releases, barring some exceptional case. Share this post Link to post Share on other sites
rafi 194 Report post Posted August 28, 2010 maybe 2.04 is a good opportunity to 're-use' the good old notification thread that is forgotten since 1.8.5 ... http://forum.utorrent.com/viewtopic.php?pid=434359#p434359 Share this post Link to post Share on other sites
saintsoh 0 Report post Posted August 28, 2010 global ul limiting not working.i've low 256kb/s upload n set limit to 10kB/s, ul went as high as 40kB/s. Share this post Link to post Share on other sites
saintsoh 0 Report post Posted August 28, 2010 i noticed a tracker(bakabt.com) don't allow this 2.0.4 ut client to dl but allow earlier versions.wat can be the reason?Southrop from BakaBT here to give you an update.We simply hadn't updated our whitelist at the time. 2.0.4 has been whitelisted for a few hours now. We will probably remove older versions from the whitelist in the near future to ensure the safety of our users.Thanks to the uTorrent Dev Team for rolling out an update for the security issue so quickly!You should tell tracker admins that it is important to allow this release as quickly as possible.I'm in agreement with this opinion. I've been personally posting in trackers that I don't regularly use to petition for 2.0.4 to be whitelisted.thanks for the update, pls don't wipe out the old versions from your whitelist until 2.0.x is as stable as 1.8.5. Share this post Link to post Share on other sites
DreadWingKnight 310 Report post Posted August 28, 2010 thanks for the update, pls don't wipe out the old versions from your whitelist until 2.0.x is as stable as 1.8.5.So you want to encourage users to remain vulnerable to the exploit that 2.0.4 fixes?We really don't want to encourage that. Share this post Link to post Share on other sites
saintsoh 0 Report post Posted August 28, 2010 thanks for the update, pls don't wipe out the old versions from your whitelist until 2.0.x is as stable as 1.8.5.So you want to encourage users to remain vulnerable to the exploit that 2.0.4 fixes?We really don't want to encourage that.not every hackers know how2exploit dll.u can't tell it is 100% secure even it is safe guarded.every users want is a stable client even it is an old version.simply say why most r still using xp not upgrading to win7 because it is stable. Share this post Link to post Share on other sites