Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn (torrentfreak.com)

Posted by msmash on from the security-woes dept.

Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle 'attack vector' as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. "By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim's machine, whether it is a PC, a smart TV, or a mobile device," they write.

126 comments

  1. Always verify user input and external data by Anonymous Coward · · Score: 3, Insightful

    If it can be abused, then someone will do it. Why is it so difficult for developers to learn this?

    1. Re:Always verify user input and external data by Anonymous Coward · · Score: -1

      Also to blame are poorly designed languages like C/C++ that allow hackers to take control of systems by feeding the right data to the fragile C/C++ runtimes/libraries. A language like Java would just throw an exception.

    2. Re:Always verify user input and external data by Anonymous Coward · · Score: 0

      kuz k0dink ees hard and sikurity not important.

    3. Re:Always verify user input and external data by Anonymous Coward · · Score: 0

      No, no, input validation is needed in any case and that includes Java. If you don't do input validation, you've already lost. If at all, languages with a 'tainted' flag could be considered well-designed with that respect.

    4. Re:Always verify user input and external data by Anonymous Coward · · Score: 0

      Oh, because it is a 2nd order issue: input is fully valid. But the PATH included in the zip file is relative, and has "../" to transverse to the parent directory.

      Yes, this is a typical security hole, it is also something every non-joke programmer used to deal with archives knows to look for. But hey, libarchive is a _security nightmare_, so people tend to roll-their-own... and end up with other security nightmares!

    5. Re:Always verify user input and external data by Anonymous Coward · · Score: -1

      Regardless of what you code, bugs are inevitable. And when those bugs are exploited, unsafe languages like C allow the exploiter to take control of the system. Safe languages like Java, .Net etc, don't.

      Behind any of the numerous critical vulnerabilities, over the last couple of decades, is software written in a fragile language like C/C++. When is someone going to call out these languages for their flaws instead of ignoring the obvious because you are biased towards the language?

    6. Re:Always verify user input and external data by Anonymous Coward · · Score: 0

      The only one biased here is you, claiming that vulnerabilities in Java and .NET can't be used to compromise the entire system.

    7. Re:Always verify user input and external data by TemporalBeing · · Score: 1

      If it can be abused, then someone will do it. Why is it so difficult for developers to learn this?

      True, but don't stop there. Defense is about layers, so ensuring even the functions internally don't trust data coming into them any more than they absolutely have to also makes not only for a great defense strategy but also for very good debugging - the code will become smarter and bugs will be more obvious and easier to catch early; and no, it doesn't have a significant impact on performance.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
    8. Re:Always verify user input and external data by TWX · · Score: 1

      I donno, little Bobby Tables figured this out a long time ago.

      --
      Do not look into laser with remaining eye.
    9. Re:Always verify user input and external data by TWX · · Score: 2

      Dammit, wrong URL.

      Should've been to XKCD https://xkcd.com/327/

      Guess I should check my buffers before pasting and submitting stuff.

      --
      Do not look into laser with remaining eye.
    10. Re:Always verify user input and external data by PoopMonkey · · Score: 1

      At least you didn't share a link to some sort of crazy porn.

    11. Re:Always verify user input and external data by TWX · · Score: 1

      Are people generally in the habit of copying links to porn? That seems like a particularly terrible idea.

      --
      Do not look into laser with remaining eye.
  2. Muh Anime!!! by the_skywise · · Score: 1

    Who didn't freaking use a strnlen on subtitles?!

    1. Re:Muh Anime!!! by Anonymous Coward · · Score: 0

      If you think strnlen is the solution to anything, then you clearly do not understand the problem.

  3. How to avoid these vulnerabilities by Anonymous Coward · · Score: -1

    If you want to ensure that you don't fall victim to these vulnerabilities, there's an easy way to be sure you're safe. Don't break the law by pirating content and software. If you refrain from piracy, you will be safe. Hope that helps.

    1. Re:How to avoid these vulnerabilities by Anonymous Coward · · Score: 0

      Because only pirated videos can have subtitles...

    2. Re:How to avoid these vulnerabilities by war4peace · · Score: 4, Interesting

      What does this have to do with anything?
      I have bought a number of movies during the years, most of which did not have a readily-available Romanian subtitle at release. My wife doesn't speak English but understands it to some extent, the threshold being thick accents. Try to watch "Snatch" without subtitles, even in English, and you'll understand. "Doo ya leik dags?"

      I have a bunch of movies on DVDs which I can enjoy but she can't, so I either rip them to HDD or download the same movie online, then attach a subtitle to it. Now we can both enjoy the movie at its fullest.

      What I am doing is not piracy by any means, it's an extension of already existing features which I legally own the right to use.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    3. Re:How to avoid these vulnerabilities by LordSkippy · · Score: 5, Insightful

      If you want to ensure that you don't fall victim to these vulnerabilities, there's an easy way to be sure you're safe. Don't break the law by pirating content and software. If you refrain from piracy, you will be safe. Hope that helps.

      You are quite wrong, on all accounts.

      I download spanish subtitles for movies we've legally purchase all the time, because they did not come with those subtitles. So, you are wrong about legal purchases negating the need for these subtitles.

      I've also gotten computer viruses from legally purchased and authentic software. Got one from a game I bought at Gamestop, back when games came on floppies. Anti-virus caught it as soon as the disk went into the drive. So, you are wrong about legal purchases keeping you safe.

      Remember Sony's root kit debacle? Sometimes you're not safe from the corporation you're buying from.

      --
      My karma is in a nose dive
    4. Re:How to avoid these vulnerabilities by jedidiah · · Score: 1

      The only reason I would ever need a 3rd party sub file is if the original publisher was too cheap to include one or too incompetent to include a good one.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    5. Re:How to avoid these vulnerabilities by fustakrakich · · Score: 1

      If you refrain from piracy, you will be safe.

      Yes, you are so right!

      Oh wait... Poe's law, right?

      --
      “He’s not deformed, he’s just drunk!”
    6. Re:How to avoid these vulnerabilities by interkin3tic · · Score: 2

      AC is being sarcastic. For the willfully ignorant/forgetful out there

      You're
      still
      not
      safe.

    7. Re:How to avoid these vulnerabilities by wbr1 · · Score: 1

      Playing devils advocate here, but - you are supposed to wait for a region locked spanish version to b e released. No one knows when or for how long it will be available for any given title, and you have to pay again for the privilege.

      --
      Silence is a state of mime.
    8. Re:How to avoid these vulnerabilities by Sigma+7 · · Score: 2

      If you refrain from piracy, you will be safe.

      If you refrained from piracy, your Commodore 64's drive would need repair much more frequently because an anti-piracy measure involves reading "bad" sectors and causing the hard drive to knock at sector 0 (and thus misalign the head.)

      If you refrain from piracy, you get a free rootkit while you play games such as Street Fighter V.

      If you refrain from piracy in the future... well, I'm uncertain what will happen on the technical side, but you won't be able to purchase Alan Wake if you missed the recent fire sale.

      I'm not advocating piracy, but the current situation is that anti-piracy mechanisms don't exactly respect the customer, or those that want to buy the products.

    9. Re:How to avoid these vulnerabilities by LordSkippy · · Score: 2

      Mexico is region one. I'm in the US, in a household of all US citizens, but a household of majority spanish speakers. So, only region one media and players are available to us.

      --
      My karma is in a nose dive
    10. Re:How to avoid these vulnerabilities by ColdWetDog · · Score: 1

      So it sounds like you are likely to need a third party sub file.

      --
      Faster! Faster! Faster would be better!
    11. Re:How to avoid these vulnerabilities by dosius · · Score: 1

      I thought Mexico was region 4, like Brazil. o.o;

      -uso.

      --
      What you hear in the ear, preach from the rooftop Matthew 10.27b
    12. Re:How to avoid these vulnerabilities by Anonymous Coward · · Score: 0

      And perhaps the only country on Earth were DVD regions are obeyed?
      Seriously, I think it was never illegal to region-unlock a region-locked player? then there should be other Spanish language or Spanish-subtitled DVDs from other continents (although maybe importing from South America or Caribbeans would be expensive, and Europe less so)

    13. Re:How to avoid these vulnerabilities by Anonymous Coward · · Score: 0

      I'm seeing somewhat related shit. From the lowest bottom video nerd games of now, they let a decent gaming PC (core i3 4170 and shit) sit around but there's Windows 10 and the games are Steam or Origin, the guy's handle/user name can been seen while the password cannot. It's password needed - or Steam off-line mode needed, but that wouldn't go over all issues and didn't work anyway - and a big ass concern that all that shit does "telemetry" i.e. what we used to call spyware in like 1999 or 2001 when RealPlayer and Comet Cursor were doing it.
      When I came before, it was Windows 7 and shit (I remember one box with Windows Update seemingly dead and deciding to not log into anything in web browsers). A while before that it was about linux everything with some Wine but you logged into the LAN wide shit and nothing else. Older school freedoms and smaller responsibilities. Now the Windows box have local root (very likely, used to be) when clicking "yes" on a UAC local prompt you get for anything including a right-click to a shortcut to cmd.exe. But you get something that looke like web accoubt.Android/iOS/cloud/shit password prompt for user processes like Steam, Origin and U-Shit. This is DRM. And this is same shit as logging in to failbook for ordering pizza or doing taxes or whatever. Do not want!

      By the way, while you still can run Flash in some shit way, try the Windows RG parody from 100 years ago. Looks like Windows 10 in some ways.

    14. Re:How to avoid these vulnerabilities by thegarbz · · Score: 1

      Don't break the law by pirating content and software.

      There's nothing illegal about downloading subtitles for a movie.

    15. Re:How to avoid these vulnerabilities by thegarbz · · Score: 1

      Doo ya leik dags

      To be fair, the immediate line following this one is: "Oh you mean dogs!"

      It's kind of like in the Assassins Creed movies in one of the scenes it all sounds a bit like gibberish, but if you turn on subtitles you're greeted with the wonderful subtitle: (man speaking Spanish backwards) as if that was at all relevant.

      But yes I do understand what you mean. I also watch native movies with subtitles because reading cuts through accents.

    16. Re:How to avoid these vulnerabilities by thegarbz · · Score: 1

      you are supposed to wait for a region locked spanish version to b e released

      What region? Blurays Region A covers all of North and South America. Is every product in the USA supposed to have a Spanish subtitle?

    17. Re:How to avoid these vulnerabilities by thegarbz · · Score: 1

      There's only 3 regions if you're not buy 20 year old obsolete media.

      Brazil is also Region 1 on Bluray. All American continents are.

    18. Re:How to avoid these vulnerabilities by Nethead · · Score: 1

      I use to make some nice coin re-aligning 1541 drives since I had an o-scope to find the cat's eye.

      --
      -- I have a private email server in my basement.
    19. Re:How to avoid these vulnerabilities by Anonymous Coward · · Score: 0

      What I am doing is not piracy by any means, it's an extension of already existing features which I legally own the right to use.

      Citizen! Thank you for coming forward with your crime. Uncle Same welcomes all criminals into the Ministry of Freedom for reeducation.

      Here you will learn that Copyright Infringement, or "Piracy" as you call it, is the breaking of a very thick legal agreement you joined when you purchased your entertainment. It has nothing whatsoever to do with an exchange of money for a product and EVERYTHING to do with an exchange of money for a license.

      You did the first one but failed to do the second.

      Please remain where you are and a member of the FBI will come to you and escort you and whoever watched that movie with you to a courtroom where you can expect to pay thousands of dollars in fees.

      Thank you for your cooperation.

    20. Re: How to avoid these vulnerabilities by Anonymous Coward · · Score: 0

      If I was paying for a license then why did they give me an unlimited use disc copy of the movie?

    21. Re: How to avoid these vulnerabilities by Anonymous Coward · · Score: 0

      They didn't. It has limits. They even tell you them.

    22. Re: How to avoid these vulnerabilities by Anonymous Coward · · Score: 0

      If you purchased any DVD from Sony in the late 90s to 00's then you probably received a nice Rootkit from Sony for your trouble...

    23. Re:How to avoid these vulnerabilities by Anonymous Coward · · Score: 0

      Don't forget Windows 10, where the pirated, privacy-enabled version is safer than the "legitimate" version from M$.

    24. Re:How to avoid these vulnerabilities by peawormsworth · · Score: 1

      war4peace, you can mitigate issues by running Kodi on a Raspberry Pi. They cost about $100, but can run as an independent media server right next to your TV. They include wifi so cabling will not be an issue. This will isolate security problems from your laptop or PC that you may be using now. So infections will not effect your personal computer documents.

      You can also set your router to isolate your raspberry Pi to a separate network from the one you use for computers, laptops and phones. This way a complete infection of your pi due to poor Kodi security will not effect any of your personal devices or monitor your network traffic.

      The pi runs on SD cards with no hard drive, so if the system is compromised, you can simply wipe the SD card and reinstall. The process takes about 1 hour.

      disclaimer: I am not a raspberry pi seller, but I am a big time buyer.

    25. Re:How to avoid these vulnerabilities by war4peace · · Score: 1

      Is it capable of transcoding 4K bluray-quality H.265 to 1080p without stuttering? I'm yet to find a non-PC device capable of doing so. The Thecus N5810 came close (1080p only though) but no cigar.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  4. Plain Text by Gornkleschnitzer · · Score: 4, Insightful

    How on earth does one design a plain-text subtitle system capable of being instructed to execute code?

    1. Re:Plain Text by squiggleslash · · Score: 4, Informative

      Not that it changes your question much, but I think a significant number of subtitle systems (I know DVD does this for one) are based on low depth bitmaps, not text. That said, that makes it harder to understand why they'd be so easy to code badly, given bitmaps have an easily calculated maximum size.

      --
      You are not alone. This is not normal. None of this is normal.
    2. Re:Plain Text by H3lldr0p · · Score: 1

      Guessing it has something to do with how it synchs up with the video. Also guessing that instead of including timestamps on the text data, it's some sort of interpreted system using xml.

      Splice in some javascript or whatever language the player is using and there you go. A nice side channel hack.

    3. Re:Plain Text by Anonymous Coward · · Score: 0

      Buffer overflow

    4. Re:Plain Text by Anonymous Coward · · Score: 1

      How else? H1B visa holders.

    5. Re:Plain Text by dafradu · · Score: 1

      There are a couple dozen subtitle formats, some are much more than a simple text and timecode, they look a lot like HTML files.

    6. Re:Plain Text by buchner.johannes · · Score: 2

      From TFA:

      To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method.

      But it does not say exactly what is the vulnerability, maybe that is still embargoed.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    7. Re:Plain Text by H3lldr0p · · Score: 1

      So let me get this right.

      Instead of having a text renderer built into the player and the subtitles just be stored in a file with the appropriate timecodes, the DVD people decided that the best way to go was to slap subtitles in as a transparent image overlay?

    8. Re:Plain Text by Anonymous Coward · · Score: 0

      The same way early HTML interpreters were capable of arbitrarily executing file manipulation scripts written in a language intended for making HTML appear more dynamic.

      Proof-of-concept gets something working, author mentions that he hasn't looked at security.
      Proof-of-concept gets adopted without alteration because "no one would use [thing] for hostile purposes."
      Adopted standard gets used for years without re-evaluation because "it passed code review, it must be safe."
      And then someone wonders if the code was ever reviewed and if it is safe, finds the attack vector and causes trouble.

    9. Re:Plain Text by Anonymous Coward · · Score: 4, Interesting

      I remember when I wanted to get the subtitles off a blu ray, it was done via OCR. Support your .srt creating peeps, it's a pain in the ass.

      Might have something to do with font styles, alphabets and such. Easier to have it per-rendered than text formatting logic in the players.

    10. Re:Plain Text by Existential+Wombat · · Score: 2

      Ask Bobby Tables!

    11. Re:Plain Text by jedidiah · · Score: 2

      Pretty much.

      Closed captions are a text stream. DVD/BD subtitles are image overlays.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    12. Re:Plain Text by Merk42 · · Score: 4, Funny

      To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method.

      25?! Ridiculous!
      We need to develop one universal standard that covers everyone's use cases.

    13. Re:Plain Text by dabadab · · Score: 1

      The "arbitrary code execution" hacks are generally exploiting buffer overflows and the one area that tended to be rather full of overflowable buffers was text processing where people were using "reasonably large" buffers without checking the size of the input (the gets() function of the standard C library was a really shining example).

      --
      Real life is overrated.
    14. Re:Plain Text by fustakrakich · · Score: 1

      Because the OS is too 'stupid' to protect itself and sandbox user space.

      --
      “He’s not deformed, he’s just drunk!”
    15. Re:Plain Text by Anonymous Coward · · Score: 5, Informative

      Remember, DVD players hit the mass market in 1997. Rendering a font in real-time for each language would have increased the cost of the processor. Compositing could be handled by the same video chipset that handled animated menus.

    16. Re:Plain Text by Anonymous Coward · · Score: 0

      Because of half a century of hard work from physicists, engineers, and technicians that allows us to build billions of transistors that require a few milliwatts to run at GHz clocks.

      This leads to programming that looks and acts like utter shit.

    17. Re:Plain Text by wbr1 · · Score: 1

      How does one design a text entry field that parses embedded SQL commands?

      --
      Silence is a state of mime.
    18. Re:Plain Text by thegarbz · · Score: 4, Insightful

      plain-text subtitle system

      What on earth makes you think the subtitle system is plain text? There is one system that is plain text and that is the SRT format.

      The rest, they are made up of various features such as displaying static images, controlling fade, dynamic adjustment of font and colouring to suit things like Karaoke. There are heaps of different subtitle formats to chose from each with their own mix of either plain text or encoded formats. Even among the plain text ones it isn't simple. Want to use WebVTT? Well now you have your subtitle system tied to a HTML / CSS processor.

    19. Re:Plain Text by Kjella · · Score: 1

      How on earth does one design a plain-text subtitle system capable of being instructed to execute code?

      Well in terms of the Butter fix linked it would appear they put the subtitles as text into a JS-rendered page. No sanitation = text interpreted as JavaScript run as local code outside any sandbox. The fix is really just this:

      strings = Common.sanitize(strings); // xss-style attacks
      strings = strings.replace(/--\&gt\;/g, '-->'); // restore srt format

      So many developers have a "bang it until it works" mentality, they couldn't see a security hole the size of a barn door without working exploit code. And even then they'll make a hare-brained fix for that particular code, still leaving the barn door open.

      --
      Live today, because you never know what tomorrow brings
    20. Re:Plain Text by Anonymous Coward · · Score: 0

      Well actually the 25th format did that already, but if you want to incorporate that format itself in the new standard in addtion to other 24 ones you could do so and create the 26th format.

    21. Re:Plain Text by omnichad · · Score: 2

      There are a lot of languages in the world. Bitmaps ensure that any player can render any character. And it's also the same system that handles overlays on the menu systems, so less code overall too. Players are relatively dumb devices that don't need their own font system, nor do they need to support decoding every character in Unicode.

      Also, where the subtitle is placed on the screen is sometimes important to avoid covering important action on the screen. A cinemascope movie has extra black space at the bottom of the 16:9 image and you can set position there. These can be done with text-based coordinates, but it's a matter of convenience.

    22. Re:Plain Text by Anonymous Coward · · Score: 0

      >text renderer built into the player
      Yeah because it's so much easier to display subtitles from all around the world using shitload of fonts for stuff than just slap a bitmap together so you don't have to give a fuck.

    23. Re:Plain Text by Gornkleschnitzer · · Score: 1

      Correct. The question is, how does one permit an overflow in a situation where the data should be so simple?

      On the other hand, comments after my own are implying that subtitles are more complicated than plain text. Back to square one.

    24. Re:Plain Text by Plus1Entropy · · Score: 1

      DVD is pretty old. Rendering the text may have been too computationally expensive at the time.

      --
      Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
    25. Re:Plain Text by 140Mandak262Jamuna · · Score: 1

      So many developers have a "bang it until it works" mentality, they couldn't see a security hole the size of a barn door without working exploit code. And even then they'll make a hare-brained fix for that particular code, still leaving the barn door open.

      No! Definitely not true. They will partly close that barn door, blast a brand new bigger hole in the side wall, and add 18 additional locks to make it impossible for any legitimate user to get into the barn.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    26. Re:Plain Text by Gornkleschnitzer · · Score: 1

      By passing the text data entered into the field into a SQL server for storage or processing, without checking to ensure the server will not interpret it incorrectly.

    27. Re:Plain Text by Anonymous Coward · · Score: 0

      it takes code to read text... all code have bugs... therefore it can be exploited.

    28. Re:Plain Text by tuffy · · Score: 1

      Blu Ray subtitles are still done with high resolution bitmaps to this day. As mentioned elsewhere, it lets the player be relatively stupid by punting the complexity of fonts/Unicode off to whoever's authoring the disc.

      --

      Ita erat quando hic adveni.

    29. Re:Plain Text by itamihn · · Score: 1, Funny

      https://xkcd.com/927/

    30. Re:Plain Text by Anonymous Coward · · Score: 0

      To make subtitles appear in every possible language would require the entire Unicode character set, all 65536 characters for Chinese, Japanese, Russian, Spanish, Norwegian, all those different pronounciations of vowels, all in TTF files with kerning, alignment, and proportional spacing software. Alternatively, they just store bitmaps of the postprocessed text.

    31. Re:Plain Text by Merk42 · · Score: 2

      Yes, that is the comic I literally quoted, good job.

    32. Re:Plain Text by tlhIngan · · Score: 1

      Blu Ray subtitles are still done with high resolution bitmaps to this day. As mentioned elsewhere, it lets the player be relatively stupid by punting the complexity of fonts/Unicode off to whoever's authoring the disc.

      Well, yes. Because it's better that way.

      First, you aren't limited to choice of fonts. You have to remember the Blu-Ray standard is over 10 years old by now. The number of characters available in Unicode has increased dramatically - additional languages, emojis, etc.

      Second, you aren't limited to a choice of fonts. This time, we're talking actual fonts themselves. There's font shapes, font styles, sizes, etc. And special characters - sometimes they use a special style when there's a song playing, for example.

      About the only way to ensure that future discs can be played back on the oldest standard players, you pretty much need to use rendered down images for the subtitles - everything changes too quickly. Even today visit the wrong web page on the wrong OS and instead of seeing text, you get squares as the font is missing Unicode codepoints.

      Heck, I'm sure someone has found a creative use for subtitle overlay images in some custom project or another

    33. Re:Plain Text by nine-times · · Score: 1

      I'm sure it's because of easy control of the display. If you want control over the size, position, color, and style of the subtitles, then storing text is insufficient. You'd need some kind of markup language. Then you risk running into issues where different manufacturers/developers have different implementations of the rendering code, and so different players show the subtitles differently.

      Also, if you want to be able to control the font, you'd either need the whole world and all video players to standardize on a certain set of fonts, or you'd need to embed fonts in the movie file. Doing that is more complex both from a technical and a licensing standpoint, as opposed to just distributing pre-rendered images.

      Having a rendering engine capable of parsing the markup language and rendering arbitrary fonts creates a system much more complex than rendering a simple bitmap. You have increased risk of bugs. If you're thinking is terms of physical media, you don't want there to be bugs in your DVD or DVD player, neither of which generally gets updates.

    34. Re:Plain Text by Anonymous Coward · · Score: 0

      Subs are often compressed as .zip files to save space. Not parsing .zip files correctly can cause subtle issues, particularly when you don't guard against files in the .zip file having .. in their file names.

    35. Re:Plain Text by squiggleslash · · Score: 1

      More or less yes. Having a text renderer introduces its own complications, including predictable font sizes and fonts that can render every character used by every language in the world. Back in 1996, when DVD was standardized, that was a tall order. Some would say it still is.

      Using bitmaps is also more flexible, in theory you can use the subtitle feature to add optional graphics instead of just text.

      And given you're talking about a low depth (compressible? I think it's compressed) bitmap that changes once every few seconds, it's not as if there's a lot of overhead in the technique. The main stream already includes at least one 384kbps audio stream, plus an MPEG-2 video stream weighing in at anything from 2-5Mbps. A single 704x480 two color bitmap weighs in at 42k, or about 330 kilobits. One of those every 5 seconds is almost a trace amount of bandwidth.

      --
      You are not alone. This is not normal. None of this is normal.
    36. Re:Plain Text by zarmanto · · Score: 0

      Merk's reference, for the uninitiated: xkcd - "Standards"

    37. Re:Plain Text by Anonymous Coward · · Score: 0

      for master and commander: the far side of the world, one of the subtitles shows a map on the screen.

    38. Re:Plain Text by Hognoxious · · Score: 1

      And all the emojis. yet another reason why unicode is a crock of shit.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    39. Re:Plain Text by steveg · · Score: 1

      According to a post by a site admin at opensubtitles.org, the problem was in the filenames of the subtitle file, and special character in those names. Apparently some media players weren't careful in how they parsed the names.

      --
      Ignorance killed the cat. Curiosity was framed.
    40. Re:Plain Text by Anonymous Coward · · Score: 0

      If you take a look at the pull request for Kodi (XBMC) that fixes the issue, you can see it's actually a malicious zip file.

      https://github.com/xbmc/xbmc/pull/12024

      https://github.com/ptoomey3/evilarc

      "evilarc lets you create a zip file that contains files with directory traversal characters in their embedded path. Most commercial zip program (winzip, etc) will prevent extraction of zip files whose embedded files contain paths with directory traversal characters. However, many software development libraries do not include these same protection mechanisms (ex. Java, PHP, etc). If a program and/or library does not prevent directory traversal characters then evilarc can be used to generate zip files that, once extracted, will place a file at an arbitrary location on the target system."

      I've yet to see an example of SRT or other subtitle formats being hacked (i.e. there is no "buffer overflow" or other actual hack)

      As far as I understand, subtitle formats are simply timecodes / colors / and text. (mostly all plain-text)

      The only "vulnerable" piece here is zip file extraction that may arbitrarily write files to your system.

    41. Re:Plain Text by Anonymous Coward · · Score: 0

      Yes that's the comic itamihn literally posted two hours before you did. Good job.

    42. Re: Plain Text by Anonymous Coward · · Score: 0

      To be fair, the proof of concept was shown on opensubtitles.org, which mostly host SRT files. The exploit - at least in kodis case - is in the handling of zip files.

    43. Re:Plain Text by Anonymous Coward · · Score: 0

      .srt is obsolete. .ass (Advanced SubStation Alpha) is the modern standard for subtitles and has been for years.

    44. Re:Plain Text by Anonymous Coward · · Score: 0

      Emojis (not sure when they stopped being called emoticons, but whatever) are completely unneeded for subtitling purposes. Hell, they are completely unneeded by anyone over the age of 15. Emojis don't belong anywhere near subtitles, fonts or language as they are a part of none of these.

    45. Re:Plain Text by Anonymous Coward · · Score: 0

      I'm sure it's because of easy control of the display. If you want control over the size, position, color, and style of the subtitles, then storing text is insufficient. You'd need some kind of markup language. Then you risk running into issues where different manufacturers/developers have different implementations of the rendering code, and so different players show the subtitles differently.

      Wow. You are out of touch. I mean REALLY out of touch. There have been subtitle formats doing all of that for a long time. Every single major video player supports them too.

    46. Re:Plain Text by Anonymous Coward · · Score: 0

      No, it would only require that the device/computer it was being played upon had characters for the region. Fonts are generally not included with subtitles or embedded into video containers because people already have the fonts in the language(s) that they read.

      What's really stupid is trying to store all languages in bitmaps.

  5. Hacking: A Beginner's Guid^k^s^#8#94873&^& by olsmeister · · Score: 2

    Those subtitles will get you every time.

  6. USING COMMON (Open) SOURCE IS FRAUGHT WITH PERIL by Anonymous Coward · · Score: -1

    But the clueless will continue to be had but those with evil intent. I am not talking about Republicans. I am talking about their owners, the Russians. Putin's Russians.

  7. Multiple layers of software cruft by Anonymous Coward · · Score: 0

    That's how.

  8. Duh. by jdastrup · · Score: 0

    I don't understand. If I create a backup of my DVD and watch it using my Kodi box, how does someone inject malicious code into the subtitles? Oh, you mean this only happens when I acquire questionably legal content from an unknown source? Nevermind then.

    1. Re:Duh. by Anonymous Coward · · Score: 0

      What is this DVD thing you speak of?

    2. Re:Duh. by Anonymous Coward · · Score: 0

      You do realize there are subtitles for movies in languages not readily available on that Blu-Ray or DVD, right? There are websites dedicated to providing subtitles for movies in some of the more obscure languages.

    3. Re:Duh. by jedidiah · · Score: 1

      It's a user controlled format that allows for the preservation of works that even the publisher wants suppressed. There are a number of things that simply aren't available from streaming services. Some publishers/services like to "expire" things or "put them in the vault".

      A user controlled format avoids any of that.

      --
      A Pirate and a Puritan look the same on a balance sheet.
  9. Kodi has already patched this hole by CeasedCaring · · Score: 2

    See https://kodi.tv/article/kodi-v...

  10. Re: USING COMMON (Open) SOURCE IS FRAUGHT WITH PER by Anonymous Coward · · Score: 0

    Using open source is not fraught with peril. There are so many people reviewing the code that bugs get fixed extremely quickly. There are about 7 billion people in the world today, and about 2% of them run Linux on the desktop. That is about 140 million users, and therefore, 140 million people reviewing the source code of the Linux kernel. That dwarfs any kind of quality control done by Microsoft or any other company, and by several orders magnitude. Given that the Linux kernel source code is reviewed by at least 140 million people, it's virtually impossible for bugs to go undetected in the Linux kernel. When you consider the use of Linux on servers, it's extremely likely that well over 140 million people are reviewing the source code to the kernel. I have proven you completely wrong. Would you like to retract your statement?

  11. Look out for those bootleg Hungarian dubs! by ToTheStars · · Score: 5, Funny

    "Zis tabakonist is scratched. I weel not buy eet."

    "My hovercraft is full of eels. Do you want to come back to my place, bouncy-bouncy?"

    Of course, it's the German gag dub that's the real killer: "Wenn ist das Nunnstuck, git und Slotermayer..."

    1. Re:Look out for those bootleg Hungarian dubs! by Anonymous Coward · · Score: 0

      Thanks a lot!

      I don't know much German, but I do know what "git und Slotermayer" means, and I'm on my way to the hospital now!

    2. Re:Look out for those bootleg Hungarian dubs! by Anonymous Coward · · Score: 0

      You monster! Researchers almost died seeing just two words of that joke together! It's a good thing no one reading that here knows German...

    3. Re:Look out for those bootleg Hungarian dubs! by Gornkleschnitzer · · Score: 1

      "... Ja! Beihrund das Oder die flippervaldt gersput!" ....and now I'm a murderer, I guess.

  12. Firejail by Anonymous Coward · · Score: 0

    That is why we have Firejail, at least on Linux.

  13. I'm sure it'll be in the next update of VLC by Anonymous Coward · · Score: 0

    They've been holding 3.0 hostage for years. I'd sure love WebVTT subtitle support already!

  14. CVE? by Anonymous Coward · · Score: 0

    I could not find any tracking label(s) for this series of issues... No CVEs or equivalent, or even a reference to taling to CERT... which is kinda lame since the vulnerability notice came from Checkpoint.

    So, how I am I supposed to look into Debian, RedHat, SuSE or Ubuntu security trackers to check if they have updated packages for this *group* of vulnerabilities?

    Did anyone find a separate post from Checkpoint or some other project with an universal ID of some sort for these bugs?

    1. Re:CVE? by Anonymous Coward · · Score: 0

      Kodi/XBMC: CVE-2017-8314 (zip file parent directory transversal, a classic security hole). Fixed by upstream release 17.2.

      VLC: "supposed" to not be exploitable. Partial fix in 2.2.5, full fix in 2.2.6.

  15. Nothing new here by bbsguru · · Score: 2
    "Malicious Subtitles". New? Hardly!

    Did you never watch Mystery Science Theater 3000?

    1. Re:Nothing new here by freeze128 · · Score: 1

      Indeed. I never watched Mystery Science Theater 3000.

    2. Re:Nothing new here by mrdogi · · Score: 1

      Yup, back when it was only here in The Cities. Great show!

    3. Re:Nothing new here by The-Ixian · · Score: 1

      Yeah! KTMA channel 23! I remember watching Joel and the bots as a kid. I have since moved on to be firmly in the Mike camp and was onboard with Rifftrax.com within it's first year. I have to say though, I think Joel really made a strong comeback with the new Netflix MST3K, it is really good! Any way you slice it, today is a good day to be an MST3K fan!

      --
      My eyes reflect the stars and a smile lights up my face.
    4. Re:Nothing new here by Anonymous Coward · · Score: 0

      You are not alone. Considering the number of people in the Twin Cities area who cared about a very stupid (and yes it is VERY stupid -- in a fun way) show on community cable, the quantity of people around the world who claim to have seen it as originally broadcast are astounding.

      'Course, it's just a TV show. I shouldn't get so worked up about it... or something.

  16. Does this apply to third-party vendors... by __aaclcg7560 · · Score: 2

    Last month I recorded a video of William Shatner telling the story about the biycle at Silicon Valley Comic Con 2017. I left my external mic at home, so the audio quality wasn't great. I paid $5 to Rev to create the captions and upload directly to my YouTube video. Nice service. I wonder if my videos could get malicious captions that way.

    1. Re:Does this apply to third-party vendors... by Anonymous Coward · · Score: 0

      I think it depends on who is doing the subtitles considering the article clearly states "affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC."

      So... this is a flaw in THEIR code related to subtitles, nothing about webstreams or youtube. I suppose, though, depending on how youtube handles subs if you are viewing via Kodi's youtube addon you might still be at risk. As well, you have to install or download the subs yourself from a third party. It's not a flaw with subtitles, it's a flaw with the streaming services and how THEY handle it.

      i guess you would have needed to read the entire first sentence. But hey, nice little add for a paid subtitle company you slipped in, if I had mod points I'd award some

  17. Re: USING COMMON (Open) SOURCE IS FRAUGHT WITH PER by darth+dickinson · · Score: 1

    I think it's a stretch to say that every user of Linux is reviewing the kernel source. I know that I use it regularly and I'm not a coder, just a networking geek. I *have* the source, but other than a very high-level understanding of what it purports to do, I really have no idea what the code actually does.

  18. And Hitler ... by PPH · · Score: 1

    ... is not amused.

    --
    Have gnu, will travel.
  19. subtitle lulz by Anonymous Coward · · Score: 0

    if I wanted to read, i'll read a book, you know, without pictures or video.

    1. Re: subtitle lulz by Anonymous Coward · · Score: 2, Insightful

      And, if you ever lose your hearing, as I did in the US Navy, you'll find subtitles to be a necessity. I hope you're not claustrophobic, you'd go crazy in that closed little mind of yours.

    2. Re:subtitle lulz by itamihn · · Score: 2

      As a non-native English speaker, the subtitles, whereas not really necessary, do come in handy.

  20. Linux by zakzor · · Score: 1

    I use Kodi and VLC on Linux desktop boxes. The original publication talks about PC, Android and Smart TVs but I doubt someone can get full access to my machines without my consent with this exploit.

    1. Re:Linux by Anonymous Coward · · Score: 0

      Update Kodi and VLC, it affects Linux as well. You need Kodi 17.2 (or a security fix backport), and VLC 2.2.6 (but 2.2.5.1 is already a lot better, it has a partial fix).

    2. Re:Linux by Anonymous Coward · · Score: 0

      "but I doubt someone can get full access to my machines without my consent"

      That's the definition of exploit. Scary, isn't it?

    3. Re:Linux by Anonymous Coward · · Score: 0

      Open Sores is invulnerable!

  21. my hovercraft by ooloorie · · Score: 1

    ... is full of eels.

  22. You Tube Hit Too by Anonymous Coward · · Score: 0

    These infected malicious subtitles are hitting You Tube already.

    Look what did to this. Way too long and not funny at all!

  23. Pirating movies isn't a valid option? by Anonymous Coward · · Score: 0

    TAIA?

  24. Easy Fix by Anonymous Coward · · Score: 0

    Clearly the best fix here is a new standard for captioning/subtitles implemented in JSON. If that can solve all our RSS issues, it can solve anything!

  25. Comment/Question by neurosine · · Score: 1

    So it looks like they're simply getting the IP address of the downloader and running VLC client against it. Is there any actual code in the file, or do they simply hope the user is running VLC server without password?

  26. great summary by Anonymous Coward · · Score: 0

    Doesn't tell what the vulnerability is at all.