[Kodi 17 malicious Subtitles Threaten ] ...

[father.mande]

Hi,

F.Y.I. Kodi 17.3 solve this problem (17.2 canceled due to crash)

Millions of people risk having their devices and systems compromised by malicious subtitles, Check Point researchers revealed today. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes or will do so soon.

The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats. To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities.

Philippe.

[hallingsgaard]

About this, where can we find version 17.3?
Can't find it on the apps list (only v17.0), and on your site the "https://www.father-mande.ovh/page_telechargement.html" it says file not found.
Can't find anything on the kodi homepage either.

[father.mande]

Hi,

Hum! if a link always exist ... it's an error (I will try to suppress it A.S.A.P. ... because in all case it's a old link to 17.0 NOT to 17.3)

mykodi 17 (.3) is now NOT DELIVERED at all on Asustor (only on another Brand without OFFICIAL Kodi)
It's not a good idea to have multiple version of the SAME software ... cause of false diagnostic and generally reduce the support response time if somthing can run on another copy of the same software ...

The best is to call the Helpdesk

The second aspect is to understand the problem and have a good method to don't fall in the problem
... don't automatically load subtitle provide in Zip file
... if you need it download it separately and unzip them (check in if any code is present ... the file must contains ONLY text and number
... then when clear ... put the subtitle file in the same folder than the video file

With this you reduce the risk up to 95% ... but this consume time and need to use some tools (file check)

Philippe.

[hallingsgaard]

thanks for quick reply

[MikeG.6.5]

It is interesting to note, that Plex has never been one of the identified apps that this malicious attack could leverage. It seems of all of the major player and streaming apps, it was the only one safe.

[father.mande]

Hi,

It is interesting to note, that Plex has never been one of the identified apps that this malicious attack could leverage. It seems of all of the major player and streaming apps, it was the only one safe.

True ... but technical & politics reasons explain this
Plex is based on client / server mode ... so client don't manage anything locally ...
Plex server don't include addons to automatize (or what else) the inclusion of movies ... so the admin of the server for subtitles (ex. here) get the real file .srt, etc. NOT a zip file unzipped transparently then apply ...

Kodi is not (except for DNLA) a server and it's a client open (too open write some people ... ) ... so it's possible to integrate lot of things and to get addons not only from Kodi team but from anybody ... this "open approach" ... add potential security problem ... even kodi team (when it's the in the core product) have a short and good response time

So the problem is : yes kodi is open and a security problem can exist (in this case on a specific usage (automation of the load and run zip file for subtitles), BUT yes this problem is solved quickly by Kodi team ... BUT again YES the problem is that lot of brand, integrator, re-seller integrate kodi in their box ... but are NOT reactive when this problem occurs (like for any kernel or CVS security break)
F.Y.I. on standard dLinux distribution ... the update will be present and apply in 24H00 after solved ...
Plex is the only official source for server delivery ... nobody can build it's own version for integration on specific platform like a NAS (so a better control on it)

So you are a little more prisoner with Plex for any change ... when in kodi you can open to your need anythings ... (ex. I have create (for the fun) a NAS ad-dons to launch NAS (Asportal or HD_Station) application directly from Kodi interface ... this is not possible with Plex)

You reopen the debate between "closed proprietary (even free) server" and "totally open tools able to be rebuild by yourself" ... sure this debate is not near to be closed

Philippe.
NB As you know I am a Plex user and a Plex integrator for client ... so not a "fan only" of kodi ...

[ator025]

Hi, any news about upgrade Kodi asustor app to 17.3. I created a support ticket asking the update but no positive response yet... So far, I'm manually checking subs files, but is a pain. Any other alternative method until Asustor do this important update to the app?
Thanks!