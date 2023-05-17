from the targeting-the-hard-of-hearing dept.
Check Point researchers revealed a new attack vector threatening millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms.
"The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities. This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers," said Omri Herscovici, vulnerability research team leader at Check Point.
The subtitles for films or TV shows are created by a wide range of subtitle writers, and uploaded to shared online repositories, such as OpenSubtitles.org, where they are indexed and ranked. Researchers also demonstrated that by manipulating the repositories' ranking algorithm, malicious subtitles can be automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain without user interaction.
Source: https://www.helpnetsecurity.com/2017/05/23/subtitle-hack/
(Score: 2) by DECbot on Tuesday May 23, @05:18PM
This is how I imagine the malicious subtitles would sound like if piped to a text to speech vocalizer:
https://www.youtube.com/watch?v=sKa2tz9CpZk [youtube.com]
cats~$ sudo chown -R us /home/base
(Score: 1, Funny) by Anonymous Coward on Tuesday May 23, @05:23PM (4 children)
It's all such horrific nonsense.
Do yourself a favor, and cut computing out of your life as much as possible. It's just trash, because humans are trash.
(Score: 0) by Anonymous Coward on Tuesday May 23, @05:32PM (2 children)
I'm much happier since I stopped talking to people.
(Score: 2) by LoRdTAW on Tuesday May 23, @05:36PM
(Score: 0) by Anonymous Coward on Tuesday May 23, @05:37PM
Is it any wonder that the religions of the world tend to involve at some higher level the lone, cloistered monk?
(Score: 2) by julian on Tuesday May 23, @05:36PM
I've almost finished my breadboard computer, which can neither be hacked nor perform practically useful work!
I am expecting written apologies from all Trump supporters when the indictments start
(Score: 0) by Anonymous Coward on Tuesday May 23, @05:28PM
And bug numbers or CVEs...
(Score: 2) by bob_super on Tuesday May 23, @05:35PM
I smell a copyright rat.
> The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities.
> This fragmented ecosystem, (...), making it a hugely attractive target for attackers,
At last check, a fragmented and complex system, used by a limited and often more technical audience, regularly on dedicated devices, is NOT a hugely attractive target for someone to code attacks.
Granted, not everyone wants to face MS or Google tech teams. But the odds of return, in both money or hacker recognition, for targeting such a small pool of potential victims, has to equal the terrorism risk in a world of high-speed cars driven by fentanyl-loaded drunk people.
