Submitted via IRC for TheMightyBuzzard
Check Point researchers revealed a new attack vector threatening millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms.
"The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities. This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers," said Omri Herscovici, vulnerability research team leader at Check Point.
The subtitles for films or TV shows are created by a wide range of subtitle writers, and uploaded to shared online repositories, such as OpenSubtitles.org, where they are indexed and ranked. Researchers also demonstrated that by manipulating the repositories' ranking algorithm, malicious subtitles can be automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain without user interaction.
Source: https://www.helpnetsecurity.com/2017/05/23/subtitle-hack/
(Score: 2) by DECbot on Tuesday May 23 2017, @05:18PM (1 child)
This is how I imagine the malicious subtitles would sound like if piped to a text to speech vocalizer:
https://www.youtube.com/watch?v=sKa2tz9CpZk [youtube.com]
cats~$ sudo chown -R us /home/base
(Score: 4, Funny) by Jeremiah Cornelius on Tuesday May 23 2017, @05:38PM
You wouldn't believe it. I was watching a subtitled stream for a Japanese gangster movie. The whole thing got ruined by hacked titles.
I think it was called "What's Up, Tiger Liliy?".
You're betting on the pantomime horse...
(Score: 2, Funny) by Anonymous Coward on Tuesday May 23 2017, @05:23PM (21 children)
It's all such horrific nonsense.
Do yourself a favor, and cut computing out of your life as much as possible. It's just trash, because humans are trash.
(Score: 1, Insightful) by Anonymous Coward on Tuesday May 23 2017, @05:32PM (6 children)
I'm much happier since I stopped talking to people.
(Score: 2) by LoRdTAW on Tuesday May 23 2017, @05:36PM (4 children)
(Score: 2) by el_oscuro on Wednesday May 24 2017, @12:00AM (3 children)
He never said that. Just "Bite my shiny metal ass!". And how did you get that cool ASCII art past the lameness filter?
SoylentNews is Bacon! [nueskes.com]
(Score: 2) by sgleysti on Wednesday May 24 2017, @02:37AM
It's a question that almost answers itself: The lameness filter could obviously tell that his cool ASCII art wasn't lame.
(Score: 2) by LoRdTAW on Wednesday May 24 2017, @02:18PM
He did, sort of: https://www.youtube.com/watch?v=0qBlPa-9v_M [youtube.com]
And it's called ecode tags.
(Score: 2) by tangomargarine on Wednesday May 24 2017, @02:58PM
https://www.youtube.com/watch?v=0qBlPa-9v_M [youtube.com]
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday May 23 2017, @05:37PM
Is it any wonder that the religions of the world tend to involve at some higher level the lone, cloistered monk?
(Score: 2) by julian on Tuesday May 23 2017, @05:36PM (5 children)
I've almost finished my breadboard computer, which can neither be hacked nor perform practically useful work!
(Score: 0) by Anonymous Coward on Tuesday May 23 2017, @05:39PM
That's how the overlords keep the little people too busy to question the present order of things.
(Score: 2) by maxwell demon on Tuesday May 23 2017, @06:12PM (1 child)
You think it cannot be hacked? Stand by while I'm fetching my axe … ;-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Funny) by Anonymous Coward on Tuesday May 23 2017, @07:02PM
I see you've played breadboard-axey before!
(Score: 1) by Maskawanian on Tuesday May 23 2017, @08:11PM (1 child)
I'm enjoying watching it. Do you plan on connecting it up to your solar system in any way?
Greetings from across the pond in Canada!
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @12:40PM
Well, that escalated quickly.
(Score: 2) by DannyB on Tuesday May 23 2017, @06:12PM (6 children)
Momentarily, assuming the truth of: because humans are trash
then why not just cut humans out of your miserable life? And keep computing?
Computers existed before the internet. In fact, you could even keep the internet and just not interact with humans. Sites like Wikipedia might suit your purposes. Sites like SN might not.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 0) by Anonymous Coward on Tuesday May 23 2017, @07:42PM (2 children)
However, the problem is that computers are made by humans, and the systems are so complex, that really they only function at all due to more work than any one person can handle. The result is that despite there being the initial sense that one can just take a decently functioning system and customize it for oneself over the course of the rest of one's own miserable life, the truth of the matter is that you actually always depend on a "community" that suffers from politics, shifting goals, and just general human mediocrity.
Even if you are successful at making your system work well for you, the hardware will eventually fail, and then you'll find there's nothing new out there with which to replace your broken system, except for systems that come broken by design, purposefully sealed off as magical and unhackable black boxes, choked under cryptographic DRM, and backdoored in the most intimate levels by the powers-that-be.
Enjoy.
(Score: 0, Disagree) by Anonymous Coward on Wednesday May 24 2017, @01:55AM (1 child)
Someone's been binge-watching The Stallman Hour...
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @05:42AM
Someone's been busy ignoring reality...
(Score: 2) by GreatAuntAnesthesia on Tuesday May 23 2017, @11:09PM (2 children)
Logically, the third option is to keep humans and the internet, but ditch computers. Of course you'll have to learn how to code/decode TCP/IP by listening to a 300 baud modem and whistling in response...
(Score: 2) by art guerrilla on Wednesday May 24 2017, @12:31AM
given that there are some blind people who have managed to vocalize clicks and use the echo-location response to navigate the world around them; yeah, i bet there are some one-in-a-million who *can* listen/decode, encode/whistle...
.
those fuggin human beans, their wetware is amazing...
(Score: 1) by butthurt on Wednesday May 24 2017, @02:15AM
https://tools.ietf.org/html/rfc1149 [ietf.org]
(Score: 0) by Anonymous Coward on Tuesday May 23 2017, @07:04PM
I... agree.
*curls up in the corner and begins slowly rocking while sobbing softly*
(Score: 0) by Anonymous Coward on Tuesday May 23 2017, @05:28PM (8 children)
And bug numbers or CVEs...
(Score: 3, Informative) by EvilSS on Tuesday May 23 2017, @05:45PM (4 children)
Here is the Check Point blog post on it: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/ [checkpoint.com]
(Score: 2) by PinkyGigglebrain on Tuesday May 23 2017, @11:45PM (3 children)
Would have been nice if the submitter or editor had mentioned that.
Thank you for providing the information that was lacking. Now I know I need to be mindful of the subtitles I use until VLC posts an update.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 1, Informative) by Anonymous Coward on Wednesday May 24 2017, @11:33AM
- VLC already released an update, Version 2.2.5.1 [videolan.org] but still won't autoupdate.
- Kodi already patched the source [github.com], but no binaries are available.
(Score: 2) by FatPhil on Wednesday May 24 2017, @12:32PM (1 child)
https://github.com/xbmc/xbmc/pull/12023/commits/c659486bc66d64788b8d379b0e898937cfedc749
However, the first thing that comes to mind is that someone could guess an absolute path and simply include one of those in the zip file. Dunno how sane the zip library used is, and whether it protects against that. No need to path traverse somewhere if you can go straight there.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @01:57PM
Yes, the AC upstream already linked the merged ZipManager: skip path traversal pull request 1 hour before your post.
(Score: 1, Informative) by Anonymous Coward on Tuesday May 23 2017, @06:37PM (1 child)
CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313
http://www.eweek.com/security/check-point-discovers-media-subtitle-vulnerability-impacting-millions [eweek.com]
CVE's have not been published yet though
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @11:35AM
Kodi's pull request [github.com] is already public so in practice the cat is out of the bag.
(Score: 0) by Anonymous Coward on Tuesday May 23 2017, @08:04PM
If TFA was food it would be celery: so deail-poor you can actually lose intelligence by reading it. What is this, CNN? Fox?
(OMG! Eleventy million people have downloaded VLC! (How many use the so-called malicious subtitles?) Seventeen, but that's not the point! Eleventy million!!!1! Infected text files!)
(Score: 2) by bob_super on Tuesday May 23 2017, @05:35PM (3 children)
I smell a copyright rat.
> The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities.
> This fragmented ecosystem, (...), making it a hugely attractive target for attackers,
At last check, a fragmented and complex system, used by a limited and often more technical audience, regularly on dedicated devices, is NOT a hugely attractive target for someone to code attacks.
Granted, not everyone wants to face MS or Google tech teams. But the odds of return, in both money or hacker recognition, for targeting such a small pool of potential victims, has to equal the terrorism risk in a world of high-speed cars driven by fentanyl-loaded drunk people.
(Score: 0) by Anonymous Coward on Tuesday May 23 2017, @06:35PM (2 children)
> I smell a copyright rat.
Or...
news likes sensationalism so they sexed up the story a little bit to get more clicks.
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @01:03AM (1 child)
Not outside the realm of possibility. Corporations like to use the media to push agendas. They do it all the time. They have for years. The news orgs are so crap they run with pretty much anything that sorta looks like a story. I have been seeing tons of KODI hate out there for the past month. It smells like a corporate run hit job. Proof? Not a shred. Of course all of the articles are of the same quality.
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @05:49AM
Corps rarely run their shady dealings in a way that can be uncovered. Usually a good investigative journalist is required, and even then it often depends on a whistle blower.
(Score: 2) by Gaaark on Tuesday May 23 2017, @07:11PM (2 children)
Shows a windows compuker: is it a windows only attack? Me guesses probably.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Wednesday May 24 2017, @01:01AM (1 child)
is it a windows only attack? Me guesses probably
I am guessing not from the summary.... users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio.
(Score: 2) by maxwell demon on Wednesday May 24 2017, @04:13AM
Given that all of the listed projects are multiplatform and support Windows, it is impossible to say whether it only affects Windows, or all versions.
The fact that the same vulnerability exists in all those applications suggests that it is not in code written specifically for those projects, but in code used by all of them. This may be some platform-independent code, but it also may be platform-dependent code. In the former case, it probably affects all platform, while in the latter case it probably affects only one platform. Since the demonstration was on Windows, that single platform would then be Windows.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Interesting) by butthurt on Wednesday May 24 2017, @02:00AM
Dutch Court Rules Fan Subtitling is Illegal
/article.pl?sid=17/04/24/1837249 [soylentnews.org]
Swedish Fansub Site Operator Facing Prosecution
/article.pl?sid=16/05/27/0055244 [soylentnews.org]
Netherlands Fansubbing Group Prepares to Sue BREIN
/article.pl?sid=16/02/07/1523233 [soylentnews.org]
(Score: 3, Touché) by corey on Wednesday May 24 2017, @02:19AM (3 children)
Use MPV. No need for VLC bloat.
(Score: 2) by bart9h on Wednesday May 24 2017, @03:41AM
Same here: mplayer, then mplayer2, then mpv.
If only all software were this straightforward
(Score: 2) by butthurt on Wednesday May 24 2017, @04:23AM
Downloading subtitle files isn't a default behaviour with vlc, is it?
A script enabling such downloads with MKV is available:
-- https://github.com/rumkex/osdb-mpv [github.com]
The article doesn't specifically say that MKV is not vulnerable.
(Score: 2) by jasassin on Thursday May 25 2017, @02:14AM
I ran top to monitor all the video players under Linux. Totem used to work, but after an update it's totally busted. Totem now maxes out my CPU for some reason. mpv (the newest iteration of mplayer/mplayer2) uses half the CPU of VLC.
I wonder why VLC is so slow compared to mpv when they have access to all the mpv code. Oh well, mpv is the best I've found.
I wonder if mpv has any subtitle bugs.
jasassin@gmail.com GPG Key ID: 0x663EB663D1E7F223