Tavis Ormandy's announcement on Twitter.
According to Ormandy, uTorrent's desktop version and web version vulnerabilities are related to various JSON-RPC issues. Both use a web interface to display web content.
By hiding commands (downloading malware to your computer's startup folder or accessing user download information) within web pages and interacting with uTorrent's RPC servers, An attacker with a fake website can exploit the client side vulnerability.
BitTorrent said the vulnerability was fixed in the most recent beta version of the desktop uTorrent Windows app. A patch for existing customers will be released in the next few days.
To fix this vulnerability, users can download a vulnerable version of the desktop version 3.5.3.44352 (http://www.utorrent.com/downloads/complete/track/beta/os/win) .
See more: