Main Area and Open Discussion > General Software Discussion

Security vulnerability found in movie subtitle files

(1/3) > >>

mouser:
Yikes, this is unpleasant for those who download subtitles online.

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC),

--- End quote ---


http://blog.checkpoint.com/2017/05/23/hacked-in-translation/

holt:
I was just going to post my own news article about this: Hackers are hiding computer viruses in film subtitles, security experts warn; http://www.telegraph.co.uk/technology/2017/05/25/hackers-hiding-computer-viruses-film-subtitles-experts-warn/
I was also going to ask special permission to make duplicate posts in every DC 'video' thread I can find, but now I'll just leave it as a suggestion, as there are bound to be members who watch videos but never look at the Programming sub-forum and won't see this warning unless it's placed right in front of them on their fav threads.
I will also post a link here to CryptoPrevent Malware Prevention; https://www.foolishit.com/cryptoprevent-malware-prevention/.

holt:
Are youtube videos susceptible to this threat:
a) if not downloaded but watched online?
b) if downloaded and watched offline?

edit: I just received an update from VLC this morning.

And BTW, you don't have to manually choose subs (subtitles) to be attacked;  movies automatically load the subs activating the attack. IOW you won't be safe just b/c you chose not to enable subs: as per the first link in my ^last post: Many videos do not come with their own subtitles, but computer media players often automatically download special files from a central online repository.  Because they are perceived as harmless text files and use a variety of different formats, the software does not check them for viruses.

mouser:
Youtube videos are not going to be vulnerable to this attack, no matter how you watch them.

This attack is only relevant to folks who download subtitle files off the internet for movies.

It's not relevant for watching youtube videos where the subtitles are part of the video or are created by youtube.

brotherS:
WTF! Thanks for posting! This is an attack vector I never had on my radar. I rarely download subtitles (just once in the last x months), and since I still have the file on my PC I checked it out: Just plain text, everything ok.

To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point.
--- End quote ---

I'm curious how exactly the attack works... I had assumed players just load text files for subtitles and display what's in there (not looking for code there), but then I only ever saw .srt files and a similar format. According to them "there are over 25 subtitle formats in use", so I imagine that more exotic subtitle formats can better be used for attacks.

Navigation

[0] Message Index

[#] Next page