Security vulnerability found in movie subtitle files

[mouser]

Yikes, this is unpleasant for those who download subtitles online.

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC),

http://blog.checkpoi...cked-in-translation/

[holt]

I was just going to post my own news article about this: Hackers are hiding computer viruses in film subtitles, security experts warn; http://www.telegraph.co.uk/technology/2017/05/25/hackers-hiding-computer-viruses-film-subtitles-experts-warn/
I was also going to ask special permission to make duplicate posts in every DC 'video' thread I can find, but now I'll just leave it as a suggestion, as there are bound to be members who watch videos but never look at the Programming sub-forum and won't see this warning unless it's placed right in front of them on their fav threads.
I will also post a link here to CryptoPrevent Malware Prevention; https://www.foolishit.com/cryptoprevent-malware-prevention/.

[holt]

Are youtube videos susceptible to this threat:
a) if not downloaded but watched online?
b) if downloaded and watched offline?

edit: I just received an update from VLC this morning.

And BTW, you don't have to manually choose subs (subtitles) to be attacked;  movies automatically load the subs activating the attack. IOW you won't be safe just b/c you chose not to enable subs: as per the first link in my ^last post: Many videos do not come with their own subtitles, but computer media players often automatically download special files from a central online repository.  Because they are perceived as harmless text files and use a variety of different formats, the software does not check them for viruses.

[mouser]

Youtube videos are not going to be vulnerable to this attack, no matter how you watch them.

This attack is only relevant to folks who download subtitle files off the internet for movies.

It's not relevant for watching youtube videos where the subtitles are part of the video or are created by youtube.

[brotherS]

WTF! Thanks for posting! This is an attack vector I never had on my radar. I rarely download subtitles (just once in the last x months), and since I still have the file on my PC I checked it out: Just plain text, everything ok.

To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point.

I'm curious how exactly the attack works... I had assumed players just load text files for subtitles and display what's in there (not looking for code there), but then I only ever saw .srt files and a similar format. According to them "there are over 25 subtitle formats in use", so I imagine that more exotic subtitle formats can better be used for attacks.

[mouser]

That is an excellent question!! It's very hard to find details anywhere...

The Kodi page for the latest update says this, which suggests that the subtitlte text file itself is not the culprit:

To be clear this possible vunrability is only present when you first enable a subtitle dowload add-on and then actually download zipped subtitles. Any subtitles that you already have as text file, are embedded in the video stream or are included with you DVD or Blurays are safe.

That sounds like the security vulnerability was in the automatic downloading and unpacking of zipped subtitle files by media players.

But I'd really like some confirmation about that.

Another media player change log sheds a little bit of light, but not much:

https://ci.popcornti...rn-Time-Desktop/249/

[f0dder]

I would have thought UTF-8 subtitles and buffer overruns leading to code execution - specifically mentioning .zip downloads makes me think otherwise.

It could be several different bugs in different players - it could be absolute paths in zip files? - it could be one ore more bugs in one or more common subtitle handling libraries.

Interesting!

[mouser]

I would have thought UTF-8 subtitles and buffer overruns leading to code execution - specifically mentioning .zip downloads makes me think otherwise.

Agreed -- my first assumption was buffer overflow -- i.e. text subtitles designed to be so long as to overwrite memory.  But it looks now like it might be related to special features that these media players provide when downloading subtitle files -- like rendering a web page with info from the subtitle author or another additional files included in a subtitle zip package?

[anandcoral]

It boils downs to any "app" which tries to display a "html" from the web is vulnerable to been hijacked. And the author has nothing to do with it.

Generally a program uses "object" in the code which uses some dll to show, say IE window in the program itself. Since the main browser Edge, Firefox extra is not called but a scale down version of an old library, so the vulnerability increases.

Only solution looks like not to use the "in window html display" but call the default browser.

Regards,

Anand

[tomos]

this not quite clear to me here:

It boils downs to any "app" which tries to display a "html" from the web is vulnerable to been hijacked. And the author has nothing to do with it.

Generally a program uses "object" in the code which uses some dll to show, say IE window in the program itself. Since the main browser Edge, Firefox extra is not called but a scale down version of an old library, so the vulnerability increases.

-anandcoral (May 29, 2017, 05:41 AM)

1) if the App is using the IE engine to show a web or html page, what has Firefox to do with it?

2) what you're saying -- sounds like any PIM's that use IE engine are (currently) risky?

[mouser]

any PIM's that use IE engine are (currently) risky?

This kind of thing is only risky if malicious 3rd parties are feeding you data files.

If you are using a PIM to store your own notes and data, these vulnerabilities are not issues.

[anandcoral]

This kind of thing is only risky if malicious 3rd parties are feeding you data files.

If you are using a PIM to store your own notes and data, these vulnerabilities are not issues.

-mouser (May 29, 2017, 10:04 AM)

Thanks Mouser for clarifying what I meant.

Regards,

Anand