"I suggested moving this into the open so that distributions can apply the patch independently."Ī Transmission development official told Ars that he expected an official fix to be released "ASAP" but was not specific. "I'm finding it frustrating that the Transmission developers are not responding on their private security list," Ormandy wrote in Tuesday's public report. Ormandy said the publication would allow Ubuntu and other downstream projects to independently install the fix. The researcher went ahead and disclosed the vulnerability last Tuesday-only 40 days after the initial report-because Transmission developers had yet to apply it. In this case, however, Ormandy's private report to Transmission included a patch that completely fixed the vulnerability. Normally, Project Zero withholds publication of such details for 90 days or until the developer has released a fix.
Researcher Tavis Ormandy published the proof-of-concept attack code last week, along with a detailed description of the underlying vulnerability it exploited. That's according to a researcher with Google's Project Zero vulnerability reporting team, who also warns that other BitTorrent clients are likely similarly susceptible. There's a critical weakness in the widely used Transmission BitTorrent app that allows websites to execute malicious code on some users' computers.
0 kommentar(er)
