Goku22 Posted May 24, 2017 Report Share Posted May 24, 2017 (edited) I just came across this news on a other website and i thought i'd share it here with everyone so everybody can take precautions. It seems popular streaming platforms such as VLC, Kodi (XBMC), Popcorn-Time and strem.io have vulnerabilities. Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. Apparently it is possible to craft malicious subtitle files which can be included with any video. When an victim’s media player plays ore downloads a subtitle file through a streaming device the attackers can take complete control over the device. Here's a link to the full article: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/ Kodi, VLC, Popcorn Time and Stremio are the platforms on which the researchers tested their hack, but they expect that many other media players are also vulnerable. The aforementioned parties are informed in advance and have the vulnerabilities according to Check Point already partially solved, while further research is done. VLC and Stremio have updated their software released to fix the vulnerability. The team behind Kodi will have the vulnerability being addressed in version 17.2 For users of VLC: be sure to check manually if your version number is version 2.2.6 sins it doesn't always update to the latest right away. Edited May 26, 2017 by Goku22 Quote Link to comment Share on other sites More sharing options...
Superoswald Posted May 26, 2017 Report Share Posted May 26, 2017 The flaw seems to stem from the way certain players handle automatically extracting subtitles from .zip archives. As long as you use only embedded subs and/or .ass/.srt files the vulnerability isn't relevant. On 2017-5-24 at 6:19 AM, Goku22 said: they expect that many other media players are also vulnerable MPC-HC's internal subtitle renderer doesn't seem to be affected by this vulnerability. XySubFilter's dev has left us in the dark since 2015 so no word on whether it's affected yet. 1 Quote Link to comment Share on other sites More sharing options...
thy52 Posted July 20, 2017 Report Share Posted July 20, 2017 It only impacted certain versions on certain os's, right? Quote Link to comment Share on other sites More sharing options...
MaxxCatt Posted July 20, 2017 Report Share Posted July 20, 2017 27 minutes ago, thy52 said: It only impacted certain versions on certain os's, right? If you have the latest VLC you are safe. They fixed it with an update. 1 Quote Link to comment Share on other sites More sharing options...
thy52 Posted July 20, 2017 Report Share Posted July 20, 2017 1 hour ago, MaxxCatt said: If you have the latest VLC you are safe. They fixed it with an update. Cool, thanks! Quote Link to comment Share on other sites More sharing options...
ElementalCards Posted July 20, 2017 Report Share Posted July 20, 2017 I'm glad this doesn't apply to me. Never liked subtitles unless it's in a movie or something, but that's another story. Quote Link to comment Share on other sites More sharing options...
Goku22 Posted July 26, 2017 Author Report Share Posted July 26, 2017 Yeah i thought i'd share it here sins subtitles are mostly used with anime series. Like @MaxxCatt mentioned if you have the latest VLC you are safe. They fixed it already. Also thanks @Superoswald for clearing that up i wasn't aware this vulnerability was related to only .zip archived subtitles. Makes sense because it would be pretty strange if someone would be able to embedded malicious stuff in .ass , .srt files etc. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.