Hacked in translation
25 May 2017
Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.
That's heavy. An upgraded version is already available for VLC, but what bothers me is the lack of information and the faulty update mechanism. When I launch VLC on my MacBook Pro:
VLC 2.2.4 is currently the newest version available.
No, I'm not up to date, and no, this is not the newest version available on the VLC website:
Version 126.96.36.199 • Mac OS X • 33 MB
I wish I had a decent package manager like on most GNU/Linux distros.
- jessie (stable)
- stretch (testing)
As a side note, this does not make VLC risk free on that particular distro as other vulnerabilities remain.
Digging on the VLC webiste, I find no info on the vulnerability exploit and the supposed fix.
Changes between 2.2.5 and 188.8.131.52: Security hardening for DLL hijacking environments Translations updates Misc: (...)
So I download the source code (you need to follow two links in order to have access to the repository):
$ git clone http://git.videolan.org/git/vlc.git Cloning into 'vlc'...
Maybe on some branch?
vlc (master)$ git branch -lr origin/HEAD -> origin/master origin/master
Nope, a single branch, but some tags:
vlc (master)$ git tag -l | grep 2.2 2.2.0-git
Good luck finding when and where and how it was fixed. Reddit gave me pointers to 2 commits but the commenter is not sure at all that they are relevant. Well, I'm note sure what I expected, but I suppose the nasty bug is fixed.