Beware! Subtitle Files Can Hack Your Computer While You're Enjoying Chink Cartoons

How do I scan for something like this?

You can't yet. This was disclosed 5 hours ago.

And then someone fucks up the parser or makes the rendering too intelligent or whatever anyhow.

Same as with SQL injections and everything else.

You don't. You use players that patched whatever vulnerability there was.

I wonder who could be behind all this?

How the hell do you fuck up a parser of .srt? It's stupid af (matroska.org/technical/specs/subtitles/srt.html)

Not according to Funimation.

what possible exploit could exist in a srt parser??

B-but my snowflake subs!

Good thing users can adjust them to their preference then. Personally, I like yellow Franklin Gothic prosubs.

>VLC — Popular VideoLAN Media Player
>Kodi (XBMC) — Open-Source Media Software
>Popcorn Time — Software to watch Movies and TV shows instantly
>Stremio — Video Streaming App for Videos, Movies, TV series and TV channels

Just use MPC-HC

>tfw I have VLC 2.2.5 so I'm already protected

They can introduce shitty subs into your video player.

It's almost as bad as having to hear English in anime, but imagine that horror for your eyes.

>VLC
We told you not to use it.

i either watch livestreams or raws though

It's not the subtitle file itself that's the vector. Try reading next time, retard.

Be reminded that this is an AD by some lame "security" company

>the vulnerability is in parsing .srt subs
Those are the most basic of all subtitles! Literally just a time stamp and the subtitle string per line. How do you fuck this up?

I am pretty sure I know what it is doing. They found that the players don't handle the text strings in a safe way and it must just launch a background RPC call to the attacker computer. Basically the applications were probably ASSUMING the subtitle text was safe and did no checking on it. Basic sanitation 101 people.

What kind of shitty media player are you using that has exploits that would allow subtitles to "hack" your computer?

VLC.

>mpv not on list
Oh so it's nothing

Wait, so is this only a problem with srt?
Lol, ASS master race here.

It's not a problem with srt, it is a problem with how those players were parsing the srt.

srt subtitles are the most basic, there is no formatting just a string and a timestamp when it should be visible.

srt parsing in VLC may be handled by libass, so potentially ASS subs could have been vulnerable as well if they were handled through the same vulnerable code, but it's still pretty funny they could fuck up parsing that badly.

Can you link to original and not your blog next time

blog.checkpoint.com/2017/05/23/hacked-in-translation/

Oh, fuck, now i have to update kodi on my htpc. I fucking hate 17 design.

does this affect me if i only stream from my plex server

Potentially, yes. If your plex server automatically downloads subtitles or you download a video with a crafted subtitle file embedded and you load it.

>we tested media players
>didn't test mpv
It's shit site than.

I use mpv, Am I safe?

Maybe. A quick look shows that mpv uses libass which is what VLC uses, so it is possible that if they haven't updated it yet mpv would be vulnerable, but there may be other factors involved.

Old time MPC user who uses VLC just in case MPC refuses to play something
>just ran my vlc to check its version
>2.2.4
>ok, time to update
>Click check for updates
>You have the latest version /user/!!
>go directly to the site, last version is, 2.2.5 indeed
WTF! get your shit stogether VLC!
I went to the site and downloaded 2.2.5 but if a common users sees the "you have the latest and greatest" they will dont do further shit

I've switch to streaming since 3 years ago.
Can't be arse with downloading anymore because most of fresh uploaded stuff either SD stream shit quality from HS and stream site is fucking fast at uploading right now and provide the same quality with HS stuff.

but what about mpv

see

>another vulnerability introduced by feature bloat
looks like mpv wins again

Can anyone provide a link to one of these files ?

Apple MacBook Pro with TouchID doesn't have this problem

>windows

~yawn
Every single time

>LIBASS

>LITERALL ASS

GO FIGURE

NO ONE USES SHITPV

EVERYONE USES MPC-HC BECAUSE ITS GOT MORE LETTERS

github.com/mpv-player/mpv/issues/4449
>rossy commented 13 minutes ago

>>it would help if someone would clarify - since several players are affected, it looks like a vulnerability in a library used by all of them.

>This is misleading on the part of the original article. It's actually describing four independent vulnerabilities that they found in each player, for example, the Kodi one is a logic error in their zip decoder and the VLC one is a buffer overflow in their internal subtitle decoder. The only commonality is the attack vector, online subtitle repositories.

MPV SHILLS ON SUICIDE WATCH

ALL HAIL NOT MPV

>subtitile files
It's the automatic subdownloader.

Why can't no one on Sup Forums do a fucking diff
pastebin.com/M49Frrpe
Here's the bug, they were parsing html without checking for \0.
Good media players most likely not affected unless they copied code from vlc like the other 3 affected.

Sorry to bother, but I'm not savvy enough to really understand what I'm looking at and would like to learn. Can anyone explain this in more detail than the article / in simple terms or tell me how to safely figure out if MPC-HC is affected? Does it only affect you if you're downloading subs through your player rather than already having subs in the file itself?

It only affects vlc and anything that shamelessly copied code from vlc.
mpc and mpv should not be affected by the same vulnerability.

2.2.6 for VLC was just released
>[videolan] VLC media player 2.2.6 is pushed to Windows users, for a couple of regressions and security issues. mac builds are under way.