Welcome to Kametsu

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more!

This message will be removed once you have signed in.

Sign in to follow this  
Followers 0
Goku22

VLC / streaming - vulnerabilities - malicious subtitle files

7 posts in this topic

Posted (edited)

I just came across this news on a other website and i thought i'd share it here with everyone so everybody can take precautions.

 

It seems popular streaming platforms such as VLC, Kodi (XBMC), Popcorn-Time and strem.io have vulnerabilities.

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles.

Apparently it is possible to craft malicious subtitle files which can be included with any video.
When an victim’s media player plays ore downloads a subtitle file through a streaming device the attackers can take complete control over the device.

 

Here's a link to the full article:

http://blog.checkpoint.com/2017/05/23/hacked-in-translation/

 

Kodi, VLC, Popcorn Time and Stremio are the platforms on which the researchers tested their hack, but they expect that many other media players are also vulnerable.

The aforementioned parties are informed in advance and have the vulnerabilities according to Check Point already partially solved, while further research is done.

VLC and Stremio have updated their software released to fix the vulnerability.

The team behind Kodi will have the vulnerability being addressed in version 17.2

 

For users of VLC: be sure to check manually if your version number is version 2.2.6 sins it doesn't always update to the latest right away.

 

Edited by Goku22

Share this post


Link to post
Share on other sites

The flaw seems to stem from the way certain players handle automatically extracting subtitles from .zip archives. As long as you use only embedded subs and/or .ass/.srt files the vulnerability isn't relevant.

 

On 2017-5-24 at 6:19 AM, Goku22 said:

they expect that many other media players are also vulnerable

MPC-HC's internal subtitle renderer doesn't seem to be affected by this vulnerability. XySubFilter's dev has left us in the dark since 2015 so no word on whether it's affected yet.

1 person likes this

Share this post


Link to post
Share on other sites

It only impacted certain versions on certain os's, right?

Share this post


Link to post
Share on other sites
27 minutes ago, thy52 said:

It only impacted certain versions on certain os's, right?

If you have the latest VLC you are safe. They fixed it with an update.

1 person likes this

Share this post


Link to post
Share on other sites
1 hour ago, MaxxCatt said:

If you have the latest VLC you are safe. They fixed it with an update.

Cool, thanks!

Share this post


Link to post
Share on other sites

I'm glad this doesn't apply to me. Never liked subtitles unless it's in a movie or something, but that's another story.

Share this post


Link to post
Share on other sites

Yeah i thought i'd share it here sins subtitles are mostly used with anime series.

Like @MaxxCatt mentioned if you have the latest VLC you are safe. They fixed it already.

Also thanks @Superoswald for clearing that up i wasn't aware this vulnerability was related to only .zip archived subtitles.

Makes sense because it would be pretty strange if someone would be able to embedded malicious stuff in  .ass , .srt files etc.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0