back to article Media players wide open to malware fired from booby-trapped subtitles

Hackers have gone back to the future by attempting to infect targets with booby-trapped subtitle files. By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can hope to take complete control of any device running the vulnerable platforms. Hackers have pushed trojans …

  1. NonSSL-Login

    Blah blah blah

    Checkpoints advisory has to be the worst one I have read. It's all PR and no info that can help anyone.

    Is it shared subtitle code among the players? It is one specific subtitle format that has an issue? Is Kodi vulnerable on all platforms or just Windows?

    One of the links they give is a commit for fixing a directory traversal while unzipping.

    A complete waste of time reading their advisory.

    1. This post has been deleted by its author

    2. Dan 55 Silver badge

      Re: Blah blah blah

      Indeed, it can't even mention the filetype. I searched the blog for .srt, .sub, .ssa, and .idx and found nothing.

      After checking the patches, it turns out it's a zip file parsing problem which allows files to be created above the parent directory where it's decompressed to (i.e. allowing ../something).

      I think El Reg could have pushed the boat out and mentioned that as well.

      1. Anonymous Coward
        Anonymous Coward

        Re: Blah blah blah

        @NonSSL-Login, @Dan 55, thanks for the info. I was here wondering how a .srt file could be used to infect a machine.

        Maybe if its contents were "Download a better subtitle from www.clickheremoron.ru.cn.nk/virus/duh.exe"?

        1. Anonymous Custard
          Headmaster

          Re: Blah blah blah

          Kodi 17.2 was also released this morning, including a fix for this issue.

          1. Scuby

            Re: Blah blah blah

            That release was a bit buggy, they've now released 17.3 to fix this which addresses that. OpenElec will follow shortly.

      2. Ben Tasker

        Re: Blah blah blah

        > After checking the patches, it turns out it's a zip file parsing problem which allows files to be created above the parent directory where it's decompressed to (i.e. allowing ../something).

        Thanks for that. Saved me from trying to hunt down info that should have been in the advisory (and El Reg could've tracked down).

  2. Aristotles slow and dimwitted horse

    Ooh la la!! Merde... et mon dieu!!!!

    Now all pay me a bazillion pounds each to translate the title or I'll do some ransomy type stuff!!!

  3. Anonymous Coward
    Anonymous Coward

    That was quick! Been using VLC for so many years and finally donated. Now if only Firefox could be this good, and stop transforming it into a browser no one wants...

  4. Anonymous Coward
    Anonymous Coward

    didn't read it

    headline was offensive. freetard something like a libtard, conservetard, globaltard, englishtard, riaatard or mpaatard?

    1. Anonymous Coward
      Anonymous Coward

      Re: headline was offensive

      Good, that's why i come here!!

      1. Anonymous Coward
        Anonymous Coward

        Re: headline was offensive

        Buttard thattard'stard howtard Johntard speakstard.

        He was bitten by a tardigrade at three months old, you see.

    2. Anonymous Coward
      Anonymous Coward

      Re: didn't read it

      I agree, completely offensive. The article didn't mention anything of the real threat. And as far as how threatening this exploitation is, these subtitles for Deep Throat appear to be a deep threat. I guess that will teach her to down-load such things.

    3. Daggerchild Silver badge

      Re: didn't read it

      Similar. Point of Order: Freetard had hitherto been used to label those who evangelised without thought. Legitimate targets absolutely abound.

      Now that qualifier is stripped, and a tribal-rejection indicator is tagged on *any* user of very-widely used software? That's not good. Don't feed the Zeitgeist that, please. We've got enough on our plate at the moment.

      Social Role classification: enlightener?

      1. Anonymous Coward
        Anonymous Coward

        Re: didn't read it

        I'm going to go out on a limb and say that the freetard label is because people are using subtitles supplied through certain plugins that show pirated material. Anyone else would use the srt plain text format such as myself.

        Why I would need a binary wrapper for plain text comprised of the text to be put on the screen and the time to show it is beyond me?

        1. JEDIDIAH
          Mushroom

          Re: didn't read it

          I recently got some old UK TV reruns because they have a classic Doctor in them. They were a cheap crap product that didn't include any subtitles. You would accuse me, A PAYING CUSTOMER, of being a "freetard" for using 3rd party subs to deal with a shoddy product.

          This is why the use of "freetard" is a pretty good "douche detector".

    4. This post has been deleted by its author

    5. Doctor Syntax Silver badge

      Re: didn't read it

      Hmm. How free is free? Here's the link to VLC fix: http://get.videolan.org/vlc/2.2.5.1/win32/vlc-2.2.5.1-win32.exe

      Oh look, it's a Windows problem at least in part.

    6. hplasm
      Coat

      Re: didn't read it

      All of these things should not be tard with the same brush.

  5. DJO Silver badge

    Will they ever learn?

    Yet again pointless functionality is exploited.

    Subtitles are plain text sometimes with a bit of simple formatting, the ability for them to contain and run executable code is so pointless & stupid it makes Trump look like Mr Brainbox.

    1. Anonymous Coward
      Anonymous Coward

      Re: Will they ever learn?

      Nobody said anything about subtitles normally containing executable code, presumably it's an unchecked buffer in some subtitle library that allows a malformed subtitle string to be executed. And just because something is formed from even 8 bit printable characters that doesn't mean it can't be executed, for example, the standard EICAR "test virus":

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

    2. JEDIDIAH
      Linux

      Re: Will they ever learn?

      Only very basic subtitles are plain text. Anything you are likely to see on a UK DVD is going to be an image based subtitle.

  6. GrapeBunch

    vlc

    I've been using vlc 2.2.4 Weatherwax for months. Clicking > Help > Check for Updates ... confirms that it is the latest. Proactively ?

    1. mr.K

      Re: vlc

      The latest version is 2.2.5.1, so the check update thingie seems to be lagging or something. It seems that it is the point one that does the trick.

      http://www.videolan.org/developers/vlc-branch/NEWS

      1. GrapeBunch

        Re: vlc

        Thanks, mr.K. As a vlctard, I'm used to occasional quirkiness on the part of that software, so I guess the check-for-update fail should give me warm fuzzy feelings. Yes, 2.2.5.1 is the current release version running on the same software / hardware as the 2.2.4 that was supposedly the most recent. O non, vlc. tard-if, tard-if, tard-if.

        1. mosw

          Re: vlc

          I just updated to version "2.2.6 Umbrella". Under "Help->Check for updates..." it indicated 2.2.4 was up to date, I had to click the "Recheck version" to be offered the 2.2.6 version.

  7. Your alien overlord - fear me

    Simple - don't download foreign films. Stick to pirating Hollywood and you'll be safe :-)

    1. Len
      Meh

      I don't know where you live but where I live Hollywood films are foreign films. (And yes, I do get upset that Netflix calls all films not made in the US foreign films).

  8. karlkarl Silver badge

    "Freetard" is an incorrect name for a user of open-source software

    A freetard would instead use DivX Player, MoboPlayer or some janky proprietary cruft instead. Or perhaps some cloud shite.

    An open-source user is probably using a non-windows OS anyway so likely would remain unaffected by this malware.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Freetard" is an incorrect name for a user of open-source software

      OS doesn't matter if the player is executable. What runs, runs.

      However, you could sandbox VLC I guess, not sure how many do that though (I don't). The exploit isn't explained well as far as potential threats. This article isn't the best.

    2. Mike Moyle

      Re: "Freetard" is an incorrect name for a user of open-source software

      Or, perhaps, "freetard" was referring to the article's assertion that "Although they have legitimate uses, subtitle files are typically downloaded in association with pirated foreign-language films," (emphasis, mine), and not referring to FOSS users at all...?

      ("The guilty flees when no man pursueth," -- Proverbs 28:1)

      1. JEDIDIAH
        Linux

        Re: "Freetard" is an incorrect name for a user of open-source software

        That's utter bullshit. You can be more than a mindless bootlicking sheep without being a thief or criminal.

    3. JEDIDIAH
      Linux

      Re: "Freetard" is an incorrect name for a user of open-source software

      I still have some divx files laying around from back before transcoding into h264 was a practical thing to do with the available hardware.

      Early adopters curse.

  9. martinusher Silver badge

    There are legitimate uses for movie downloads

    I'm not particularly interested in yet more heapin' helpin' of Pirates of the Caribbean but there are times when I want to look at older movies that are either not available where I live or I have some technical problems viewing them (e.g. the Netflix disc crapped out -- yet again). Its also rather irritating that when a remake -- invariably an inferior remake -- of a movie comes out all the older versions disappear from the mainstream streaming sites.

    I don't like being herded like cattle, my tastes dictated by some marketing focus group. The world is full of culture, not of all of it commercially exploitable, and we do ourselves a disservice when we restrict access to it just to make a few extra bucks.

    1. Anonymous Coward
      Anonymous Coward

      Re: There are legitimate uses for movie downloads

      Here here!!

      I tried Netflix and rejected it because it contains only the latest (good stuff and exrement alike) but not any old classics nor any "foreign" masterpieces.

      I would pay my good money to any site that would make available to me all the old classics on demand for a subscription.

      Until then, VLC, Opensubtitles (and ######bay)

      ;-)

      1. JEDIDIAH
        Linux

        Re: There are legitimate uses for movie downloads

        I have my own copy of old Trek episodes because Netflix mutilates them much like those cut rate independent broadcast channels we have over here that just show re-runs.

        Providers and publishers can't seem to avoid screwing around with the aspect ratio of old content. Wide screen stuff gets panned and scanned and 4/3 stuff gets mangled into wide screen.

  10. Anonymous Coward
    Anonymous Coward

    I miss the simplicity of the days...

    Where not uninstalling M$ Media Player means you're a mark... But installing VLC etc means life is good...

  11. DropBear
    FAIL

    It's quite unfortunate that for all its verbiage, the article couldn't be bothered to dedicate even a single sentence to how exactly does one "booby-trap" a flat text file to be displayed on a screen. I can't afford to study video links and such right now so bombastic title or not, I'm none the wiser...

  12. Netbofia
    Mushroom

    No real explanation into how the exploit is done

    Even after watching the video, I had no insight into how, all of a sudden, a guy running kali linux just started a VNC session to your computer because of a subtitle.

    Looks like hollywood bull*** just missed a guy typing really fast.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like