Update to Bitcoin Client Fixes DoS Bug, Password Strength

Type threatpost
Reporter Chris Brook
Modified 2013-09-04T19:50:25


The developers behind Bitcoin-QT, a software wallet used to protect and back up Bitcoin currency, have pushed out a new version of the client, fixing a critical denial-of-service bug, three security issues and fortifying password security.

Version 0.8.4 of the original Bitcoin client was posted to SourceForge early this morning and anyone running an out of date version is being instructed to update by either running the Windows installer or copying over the new code on Mac and Linux builds.

According to the update summary, an attacker could have sent a series of messages that would’ve resulted in an integer division-by-zero error in the Bloom Filter handling code. This DoS bug would’ve forced versions 0.8.0 through 0.8.3 of the program to crash. Cryptographically speaking, Bloom Filters are probabilistic structures used for set membership that help send only relevant transactions to lightweight clients.

The update also adds a constant-time algorithm to check RPC password guess attempts (CVE-2013-4165) and a fix for the fill-memory-with-orphan-transactions attack (CVE-2013-4627) that was opened to new vectors of attack by a previous buggy patch.

Bitcoin-QT is the oldest bitcoin client and is often referred to as the gold standard or backbone of the popular, decentralized network. The currency’s website touts Bitcoin-QT as having the “highest levels of security, privacy, and stability,” and users trumpet the service because they can control their own security keys and they’re seen as a node in the network.

Bitcoins, the decentralized virtual currency that popped into the cultural mainstream this summer, has already proved a popular target for attackers. Hackers knocked the Mt. Gox trading exchange offline in April while the dangers of conducting transactions on Android devices were illuminated just last month.