NarcFlagz | 155 points
https://torrentfreak.com/malicious-subtitles-threaten-kodi-vlc-and-popcorn-time-users-researchers-warn-170523/
Please update to latest VLC or use MPC (there seems to be nothing about MPC having this exploit). Update your Kodi if you use that to play files as well. If you're not enabling subtitles, this exploit seems to not activate, but it's best to keep up to date anyway.
Shift + F1 OR Help > About.
https://www.youtube.com/watch?v=sg46VAD5ur8
https://www.youtube.com/watch?v=HxHqBDPGmUg
http://www.videolan.org/vlc/download-windows.en-GB.html
http://mirrors.kodi.tv/releases/win32/kodi-17.2-Krypton.exe
https://mpc-hc.org/
[-] bumblebeebot | 11 points
Stupid VLC says it has the latest version when it doesnt, had to update manually. Thanks for the warning.
[-] SourceDetective | 9 points
This is a very dangerous exploit. Thank you. Updating now!
[-] RAWRzilla22 | 9 points
PotPlayer has outperformed VLC for me in very nearly every way I have thrown at it. I HIGHLY ADVOCATE ITS USE :)
[-] harryharpratap | 4 points
No linux support though :(
[-] RAWRzilla22 | 2 points
Yeah, it's made by a Korean dude who mostly speaks no English, so there's your downside
HIGHLY RECOMMEND POT PLAYA.
[-] generalecchi | 1 points
Is there a way to change the UI's size ? It's kinda small
[-] carlthescorp | 1 points
I've had to reboot my comp before and the issue was resolved
[-] tellmyWIFIhateher | 1 points
I contacted the developer and he told me that potplayer is safe considering this issue.
[-] morphagentOG | 7 points
Thanks for the heads up! This sub is the shit because of users like yourself. Upvote for u.
[-] koopadekid | 6 points
it just updated again so now the latest is 2.2.6
Good thing I don't watch videos on my pc. I watch all mine on plex through my roku box.
[-] halolordkiller3 | 0 points
My brain... it hurts
[-] [deleted] | 1 points
[deleted]
[-] halolordkiller3 | 1 points
Ok lol I thought you were like nah man I use plex which has no bearing on kodecs lol
PotPlayer OK?
1.7.1988 does not include a fix according to their changelog.
Checkpoint researchers only contacted VLC, kodi, and popcorn time. but all media players are vulnerable.
edit: not every single media player in existence is vulnerable of course. but you should probably avoid using anything that isn't 100% immune to the vulnerability for a bit, or avoid using subtitles.
Are you sure ALL media players are vulnerable? It seems like that would only be the case if all the projects were reusing code that contained the same vulnerability, like a library for processing subtitles. I mean, that's not impossible, especially with open source projects like VLC, but it seems like you could also have software that has its own separate code for handling subtitles that doesn't have the vulnerability ... I dunno.
yes, read the checkpoint blog. they only tested on the most commonly used media players but they believe that there are other vulnerable
edit: not every single media player in existence is vulnerable of course. but you should probably avoid using anything that isn't 100% immune to the vulnerability for a bit, or avoid using subtitles.
[-] BetrayerOfBetrayers | 0 points
they believe that there are other vulnerable
In other words: They don't know. But still decide to spread FUD.
[-] simplefilmreviews | 3 points
Default skin for VLC is hideous! Shame they don't update it. (obviously you can change it via skins, which I did, but man that default one doe)
What skin do you recommend? I never changed it before, but now that I know it's an option I'm really keen on doing so.
[-] simplefilmreviews | 2 points
http://www.videolan.org/vlc/skins.html
I use dark lounge (top right)! (I seriously hate the default skin, it's hideous)
[-] MiscellaneousZed | 2 points
Anyone know if this affects those running Linux distros? There doesn't appear to be a (stable) release of anything higher than 2.2.2 for Ubuntu. I updated to the testing 3.0.0, to be safe, but I'm not thrilled about having to run the testing version.
[-] NoMoreNicksLeft | 5 points
Anyone know if this affects those running Linux distros?
Buffer overflows are generally possible in all software that hasn't specifically been written to avoid them.
However, it is a very targeted attack. A buffer overflow exploit that will seize control of your Windows machine will, at most, just crash VLC on a linux machine. And vice versa.
And it's very narrow too... has to be a specific version of windows, or at most a small range of closely-related versions. On linux, it will only work against a specific kernel version (or whatever component it is exploiting to elevate privileges).
If someone has a proof of concept trojan for windows, you're moderately safe on linux... at least until someone decides to try the same on that os. Of course, by the time you hear about that one, it might be too late.
Not sure yet. It was only shown on windows, but you never know what can happen.
There's the tarball, if you want to go old school. Latest tarball is 2.2.6
[-] MiscellaneousZed | 2 points
[-] rednight39 | 2 points
Wow--that youtube video is scary!
[-] ChillingInTraffic | 2 points
Should i delete all my .SRT subtitiles i have?
From reading about it this morning, it sounds like the exploit uses subtitle files that are made using bitmaps. Text files that make the video player render the text onto the screen (like srt files) are fine. In fact, switching to text-based subtitles like srt files exclusively will help keep the exploit from being used on your video player until you can update it.
[-] MiscellaneousZed | 2 points
Thanks for that information. Good stuff to know.
[-] weatherwizard_pxw | 1 points
would this impact Kodi from the Windows Store app? considering they do auto updates and all
[-] [deleted] | 1 points
[deleted]
If you use pre-rendered subtitles, you stand a risk of being exploited. If your subtitle files are all text, they won't hurt you. But don't put off updating your video player.
[-] DarkmessageCH | 1 points
As far as I can tell, yes. The bug was found a few months ago and the developers were informed. Thus a few of them already fixed the bug. So your subtitles could already be malicious...
[-] BetrayerOfBetrayers | -1 points
The "researchers" are mostly spreading FUD. They found a few vulnerabilities in VLC and other movie players which could be used by exploits, but they don't know if such exploits exist in the wild. Their video is really thin on details, too. So keep calm and ~~carry on~~ switch to mpv.
[-] Cristian_01 | 3 points
so why MPV and not VLC?
[-] BetrayerOfBetrayers | 1 points
mpv is much better than vlc (although vlc sure has improved over the last couple of years): faster, slicker, more configurable.
[-] WickedDemiurge | 3 points
The correct time to patch to a version that fixes vulnerabilities is precisely before exploits exist in the wild.
[-] KaronteNoKami | -17 points
[-] AnkitIndia | 11 points | May 24 2017 00:40:06
I just checked for updates on VLC. It says the VLC is updated and no updates are available? EDIT: I am using VLC 2.2.4
permalink
[-] manemega | 9 points | May 24 2017 02:06:05
Go to their webpage and download the installer again, then run it, it will update it.
permalink
[-] SavageAlien | 5 points | May 24 2017 02:10:30
Same. Just grab it from the website. You'll probably get version 2.2.5.1 from the main download.
permalink
[-] Cristian_01 | 1 points | May 24 2017 04:06:33
so do i have to uninstall version 2.2.4 first? or just download the 2.2.5.1 ? would the new version automatically replace the old version? thanks
permalink
[-] jsdgjkl | 2 points | May 24 2017 10:24:03
you don't need yo uninstall just install the new version. also you can check if it worked by checking help -> about
permalink
[-] Cristian_01 | 2 points | May 24 2017 01:06:51
same here
permalink
[-] TheEvenDarkerKnight | 2 points | May 24 2017 01:15:13
same
permalink