Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn (torrentfreak.com) 126
Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle 'attack vector' as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. "By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim's machine, whether it is a PC, a smart TV, or a mobile device," they write.
Always verify user input and external data (Score:3, Insightful)
If it can be abused, then someone will do it. Why is it so difficult for developers to learn this?
Re: (Score:2)
If it can be abused, then someone will do it. Why is it so difficult for developers to learn this?
True, but don't stop there. Defense is about layers, so ensuring even the functions internally don't trust data coming into them any more than they absolutely have to also makes not only for a great defense strategy but also for very good debugging - the code will become smarter and bugs will be more obvious and easier to catch early; and no, it doesn't have a significant impact on performance.
Re: (Score:2)
I donno, little Bobby Tables [youtube.com] figured this out a long time ago.
Re: (Score:3)
Dammit, wrong URL.
Should've been to XKCD https://xkcd.com/327/ [xkcd.com]
Guess I should check my buffers before pasting and submitting stuff.
Re: (Score:1)
Re: (Score:2)
Are people generally in the habit of copying links to porn? That seems like a particularly terrible idea.
Muh Anime!!! (Score:2)
Plain Text (Score:4, Insightful)
Comment removed (Score:5, Informative)
Re: (Score:2)
So let me get this right.
Instead of having a text renderer built into the player and the subtitles just be stored in a file with the appropriate timecodes, the DVD people decided that the best way to go was to slap subtitles in as a transparent image overlay?
Re:Plain Text (Score:4, Interesting)
I remember when I wanted to get the subtitles off a blu ray, it was done via OCR. Support your .srt creating peeps, it's a pain in the ass.
Might have something to do with font styles, alphabets and such. Easier to have it per-rendered than text formatting logic in the players.
Re: (Score:3)
Pretty much.
Closed captions are a text stream. DVD/BD subtitles are image overlays.
Re:Plain Text (Score:5, Informative)
Remember, DVD players hit the mass market in 1997. Rendering a font in real-time for each language would have increased the cost of the processor. Compositing could be handled by the same video chipset that handled animated menus.
Re: (Score:3)
There are a lot of languages in the world. Bitmaps ensure that any player can render any character. And it's also the same system that handles overlays on the menu systems, so less code overall too. Players are relatively dumb devices that don't need their own font system, nor do they need to support decoding every character in Unicode.
Also, where the subtitle is placed on the screen is sometimes important to avoid covering important action on the screen. A cinemascope movie has extra black space at the
Re: (Score:2)
DVD is pretty old. Rendering the text may have been too computationally expensive at the time.
Re: (Score:1)
Blu Ray subtitles are still done with high resolution bitmaps to this day. As mentioned elsewhere, it lets the player be relatively stupid by punting the complexity of fonts/Unicode off to whoever's authoring the disc.
Re: (Score:2)
Well, yes. Because it's better that way.
First, you aren't limited to choice of fonts. You have to remember the Blu-Ray standard is over 10 years old by now. The number of characters available in Unicode has increased dramatically - additional languages, emojis, etc.
Second, you aren't limited t
Re: (Score:2)
And all the emojis. yet another reason why unicode is a crock of shit.
Re: (Score:2)
I'm sure it's because of easy control of the display. If you want control over the size, position, color, and style of the subtitles, then storing text is insufficient. You'd need some kind of markup language. Then you risk running into issues where different manufacturers/developers have different implementations of the rendering code, and so different players show the subtitles differently.
Also, if you want to be able to control the font, you'd either need the whole world and all video players to sta
Re: (Score:2)
Re: (Score:2)
Guessing it has something to do with how it synchs up with the video. Also guessing that instead of including timestamps on the text data, it's some sort of interpreted system using xml.
Splice in some javascript or whatever language the player is using and there you go. A nice side channel hack.
Re: (Score:1)
On the other hand, comments after my own are implying that subtitles are more complicated than plain text. Back to square one.
Re: (Score:1)
How else? H1B visa holders.
Re: (Score:2)
There are a couple dozen subtitle formats, some are much more than a simple text and timecode, they look a lot like HTML files.
Re: (Score:3)
From TFA:
But it does not say exactly what is the vulnerability, maybe that is still embargoed.
Re:Plain Text (Score:5, Funny)
To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method.
25?! Ridiculous!
We need to develop one universal standard that covers everyone's use cases.
Re: (Score:2, Funny)
https://xkcd.com/927/ [xkcd.com]
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
According to a post by a site admin at opensubtitles.org, the problem was in the filenames of the subtitle file, and special character in those names. Apparently some media players weren't careful in how they parsed the names.
Re: (Score:3)
Ask Bobby Tables!
Re: (Score:2)
The "arbitrary code execution" hacks are generally exploiting buffer overflows and the one area that tended to be rather full of overflowable buffers was text processing where people were using "reasonably large" buffers without checking the size of the input (the gets() function of the standard C library was a really shining example).
Re: (Score:1)
Because the OS is too 'stupid' to protect itself and sandbox user space.
Re: (Score:2)
Re: (Score:1)
Re:Plain Text (Score:5, Insightful)
plain-text subtitle system
What on earth makes you think the subtitle system is plain text? There is one system that is plain text and that is the SRT format.
The rest, they are made up of various features such as displaying static images, controlling fade, dynamic adjustment of font and colouring to suit things like Karaoke. There are heaps of different subtitle formats to chose from each with their own mix of either plain text or encoded formats. Even among the plain text ones it isn't simple. Want to use WebVTT? Well now you have your subtitle system tied to a HTML / CSS processor.
Re: (Score:2)
How on earth does one design a plain-text subtitle system capable of being instructed to execute code?
Well in terms of the Butter fix linked it would appear they put the subtitles as text into a JS-rendered page. No sanitation = text interpreted as JavaScript run as local code outside any sandbox. The fix is really just this:
strings = Common.sanitize(strings); // xss-style attacks // restore srt format
strings = strings.replace(/--\>\;/g, '-->');
So many developers have a "bang it until it works" mentality, they couldn't see a security hole the size of a barn door without working exploit code. And ev
Re: (Score:2)
So many developers have a "bang it until it works" mentality, they couldn't see a security hole the size of a barn door without working exploit code. And even then they'll make a hare-brained fix for that particular code, still leaving the barn door open.
No! Definitely not true. They will partly close that barn door, blast a brand new bigger hole in the side wall, and add 18 additional locks to make it impossible for any legitimate user to get into the barn.
Hacking: A Beginner's Guid^k^s^#8#94873&^& (Score:2)
Duh. (Score:1)
Re: (Score:2)
It's a user controlled format that allows for the preservation of works that even the publisher wants suppressed. There are a number of things that simply aren't available from streaming services. Some publishers/services like to "expire" things or "put them in the vault".
A user controlled format avoids any of that.
Kodi has already patched this hole (Score:3)
Look out for those bootleg Hungarian dubs! (Score:5, Funny)
"Zis tabakonist is scratched. I weel not buy eet."
"My hovercraft is full of eels. Do you want to come back to my place, bouncy-bouncy?"
Of course, it's the German gag dub that's the real killer: "Wenn ist das Nunnstuck, git und Slotermayer..."
Re: (Score:1)
Nothing new here (Score:3)
Did you never watch Mystery Science Theater 3000?
Re: (Score:2)
Re: (Score:2)
Yup, back when it was only here in The Cities. Great show!
Re: (Score:2)
Yeah! KTMA channel 23! I remember watching Joel and the bots as a kid. I have since moved on to be firmly in the Mike camp and was onboard with Rifftrax.com within it's first year. I have to say though, I think Joel really made a strong comeback with the new Netflix MST3K, it is really good! Any way you slice it, today is a good day to be an MST3K fan!
Does this apply to third-party vendors... (Score:3)
And Hitler ... (Score:2)
Re: subtitle lulz (Score:2, Insightful)
And, if you ever lose your hearing, as I did in the US Navy, you'll find subtitles to be a necessity. I hope you're not claustrophobic, you'd go crazy in that closed little mind of yours.
Re: (Score:3)
As a non-native English speaker, the subtitles, whereas not really necessary, do come in handy.
Linux (Score:1)
my hovercraft (Score:2)
... is full of eels.
Comment/Question (Score:1)
Re:How to avoid these vulnerabilities (Score:5, Interesting)
What does this have to do with anything?
I have bought a number of movies during the years, most of which did not have a readily-available Romanian subtitle at release. My wife doesn't speak English but understands it to some extent, the threshold being thick accents. Try to watch "Snatch" without subtitles, even in English, and you'll understand. "Doo ya leik dags?"
I have a bunch of movies on DVDs which I can enjoy but she can't, so I either rip them to HDD or download the same movie online, then attach a subtitle to it. Now we can both enjoy the movie at its fullest.
What I am doing is not piracy by any means, it's an extension of already existing features which I legally own the right to use.
Re: (Score:2)
Doo ya leik dags
To be fair, the immediate line following this one is: "Oh you mean dogs!"
It's kind of like in the Assassins Creed movies in one of the scenes it all sounds a bit like gibberish, but if you turn on subtitles you're greeted with the wonderful subtitle: (man speaking Spanish backwards) as if that was at all relevant.
But yes I do understand what you mean. I also watch native movies with subtitles because reading cuts through accents.
Re: (Score:1)
war4peace, you can mitigate issues by running Kodi on a Raspberry Pi. They cost about $100, but can run as an independent media server right next to your TV. They include wifi so cabling will not be an issue. This will isolate security problems from your laptop or PC that you may be using now. So infections will not effect your personal computer documents.
You can also set your router to isolate your raspberry Pi to a separate network from the one you use for computers, laptops and phones. This way a complet
Re: (Score:2)
Is it capable of transcoding 4K bluray-quality H.265 to 1080p without stuttering? I'm yet to find a non-PC device capable of doing so. The Thecus N5810 came close (1080p only though) but no cigar.
Re:How to avoid these vulnerabilities (Score:5, Insightful)
If you want to ensure that you don't fall victim to these vulnerabilities, there's an easy way to be sure you're safe. Don't break the law by pirating content and software. If you refrain from piracy, you will be safe. Hope that helps.
You are quite wrong, on all accounts.
I download spanish subtitles for movies we've legally purchase all the time, because they did not come with those subtitles. So, you are wrong about legal purchases negating the need for these subtitles.
I've also gotten computer viruses from legally purchased and authentic software. Got one from a game I bought at Gamestop, back when games came on floppies. Anti-virus caught it as soon as the disk went into the drive. So, you are wrong about legal purchases keeping you safe.
Remember Sony's root kit debacle? Sometimes you're not safe from the corporation you're buying from.
Re: (Score:2)
Re: (Score:3)
Mexico is region one. I'm in the US, in a household of all US citizens, but a household of majority spanish speakers. So, only region one media and players are available to us.
Re: (Score:1)
I thought Mexico was region 4, like Brazil. o.o;
-uso.
Re: (Score:2)
There's only 3 regions if you're not buy 20 year old obsolete media.
Brazil is also Region 1 on Bluray. All American continents are.
Re: (Score:2)
you are supposed to wait for a region locked spanish version to b e released
What region? Blurays Region A covers all of North and South America. Is every product in the USA supposed to have a Spanish subtitle?
Re: (Score:2)
The only reason I would ever need a 3rd party sub file is if the original publisher was too cheap to include one or too incompetent to include a good one.
Re: (Score:2)
So it sounds like you are likely to need a third party sub file.
Re: (Score:1)
If you refrain from piracy, you will be safe.
Yes, you are so right [wikipedia.org]!
Oh wait... Poe's law, right?
Re: (Score:3)
You're [wikipedia.org]
still [tripwire.com]
not [arstechnica.com]
safe. [extremetech.com]
Re: (Score:3)
If you refrained from piracy, your Commodore 64's drive would need repair much more frequently because an anti-piracy measure involves reading "bad" sectors and causing the hard drive to knock at sector 0 (and thus misalign the head.)
If you refrain from piracy, you get a free rootkit while you play games such as Street Fighter V.
If you refrain from piracy in the future... well, I'm uncertain what will happen on the technical side, but you won't be able to purchas
Re: (Score:2)
I use to make some nice coin re-aligning 1541 drives since I had an o-scope to find the cat's eye.
Re: (Score:2)
Don't break the law by pirating content and software.
There's nothing illegal about downloading subtitles for a movie.
Re: (Score:2)
I think it's a stretch to say that every user of Linux is reviewing the kernel source. I know that I use it regularly and I'm not a coder, just a networking geek. I *have* the source, but other than a very high-level understanding of what it purports to do, I really have no idea what the code actually does.