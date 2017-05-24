Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
Security Media Technology

Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn (torrentfreak.com) 46

Posted by msmash from the security-woes dept.
Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle 'attack vector' as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. "By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim's machine, whether it is a PC, a smart TV, or a mobile device," they write.

Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn More | Reply

Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn

Comments Filter:

  • Always verify user input and external data (Score:1)

    by Anonymous Coward

    If it can be abused, then someone will do it. Why is it so difficult for developers to learn this?

  • Who didn't freaking use a strnlen on subtitles?!

  • Plain Text (Score:4, Insightful)

    by Gornkleschnitzer ( 4539195 ) on Wednesday May 24, 2017 @10:08AM (#54476823)
    How on earth does one design a plain-text subtitle system capable of being instructed to execute code?

    • Re:Plain Text (Score:5, Informative)

      by squiggleslash ( 241428 ) on Wednesday May 24, 2017 @10:17AM (#54476881) Homepage Journal

      Not that it changes your question much, but I think a significant number of subtitle systems (I know DVD does this for one) are based on low depth bitmaps, not text. That said, that makes it harder to understand why they'd be so easy to code badly, given bitmaps have an easily calculated maximum size.

      • Re: (Score:2)

        by H3lldr0p ( 40304 )

        So let me get this right.

        Instead of having a text renderer built into the player and the subtitles just be stored in a file with the appropriate timecodes, the DVD people decided that the best way to go was to slap subtitles in as a transparent image overlay?

        • Re: (Score:1)

          by Anonymous Coward

          I remember when I wanted to get the subtitles off a blu ray, it was done via OCR. Support your .srt creating peeps, it's a pain in the ass.

          Might have something to do with font styles, alphabets and such. Easier to have it per-rendered than text formatting logic in the players.

        • Re: (Score:3)

          by jedidiah ( 1196 )

          Pretty much.

          Closed captions are a text stream. DVD/BD subtitles are image overlays.

    • Re: (Score:2)

      by H3lldr0p ( 40304 )

      Guessing it has something to do with how it synchs up with the video. Also guessing that instead of including timestamps on the text data, it's some sort of interpreted system using xml.

      Splice in some javascript or whatever language the player is using and there you go. A nice side channel hack.

    • Re: (Score:2)

      by dafradu ( 868234 )

      There are a couple dozen subtitle formats, some are much more than a simple text and timecode, they look a lot like HTML files.

    • From TFA:

      To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method.

      But it does not say exactly what is the vulnerability, maybe that is still embargoed.

      • Re: (Score:3)

        by Merk42 ( 1906718 )

        To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method.

        25?! Ridiculous!
        We need to develop one universal standard that covers everyone's use cases.

    • Ask Bobby Tables!

    • Re: (Score:2)

      by dabadab ( 126782 )

      The "arbitrary code execution" hacks are generally exploiting buffer overflows and the one area that tended to be rather full of overflowable buffers was text processing where people were using "reasonably large" buffers without checking the size of the input (the gets() function of the standard C library was a really shining example).

    • Because the OS is too 'stupid' to protect itself and sandbox user space.

  • Those subtitles will get you every time.
  • I don't understand. If I create a backup of my DVD and watch it using my Kodi box, how does someone inject malicious code into the subtitles? Oh, you mean this only happens when I acquire questionably legal content from an unknown source? Nevermind then.

  • Look out for those bootleg Hungarian dubs! (Score:3, Funny)

    by ToTheStars ( 4807725 ) on Wednesday May 24, 2017 @10:25AM (#54476937)

    "Zis tabakonist is scratched. I weel not buy eet."

    "My hovercraft is full of eels. Do you want to come back to my place, bouncy-bouncy?"

    Of course, it's the German gag dub that's the real killer: "Wenn ist das Nunnstuck, git und Slotermayer..."

  • Nothing new here (Score:3)

    by bbsguru ( 586178 ) on Wednesday May 24, 2017 @10:42AM (#54477059) Homepage Journal
    "Malicious Subtitles". New? Hardly!

    Did you never watch Mystery Science Theater 3000?

  • Last month I recorded a video of William Shatner telling the story about the biycle [youtube.com] at Silicon Valley Comic Con 2017. I left my external mic at home, so the audio quality wasn't great. I paid $5 to Rev [rev.com] to create the captions and upload directly to my YouTube video. Nice service. I wonder if my videos could get malicious captions that way.

  • ... is not amused [youtube.com].

Slashdot Top Deals

"You know, we've won awards for this crap." -- David Letterman

Close