https://www.maketecheasier.com/subtitles-malware-how-to-avoid-it/ I found the above link. I still don't uderstand how text file could have a virus. What does install the subtitle file into the media player mean? I usually have film.mp4 and film.srt in the same folder and play with vlc. How is that installing the subtitle into the media player? The link is two years old.My scans are always clear
Afaik, no installing is done, that's just bad terminology. It looks like they mean it's an exploit. If an software needs to parse untrusted content, whether this is a website, pdf file, media file or simple text file attackers can try to make the untrusted content very unusual, which might crash the software because it doesn't understand it. Combine it with a vulnerability in the software and they can execute code on your system. This is a lot easier with complex content like a PDF file, than with a simple text file, however as stated in the article, this very fact makes it also interesting for an attack as nobody suspects it.
But wouldn't you see the virus code if you opened the srt file? I usually open it when i download it to make sure there are no ads. sometimes there is an ad at the start and in the middle of the movie. Would opening it outside of vlc,extracting from thezip, constitute parsing it or running it?
Afaik it is usually just exploit code, the virus is downloaded later. You should be able to see it yes. However, even when opening it with notepad, it would need to parse. But the exploit code needs to target something, for example a specific media player, or maybe some 3rd party library used by multiple media players. That would make it safe to open with notepad. Note that it is possible to exploit even a simple application such as notepad: https://www.securityweek.com/google-researcher-finds-code-execution-vulnerability-notepad
I'm not a programmer, so maybe I'm not using the word correctly but I mean that it needs to process data.
ok thanks for that link. i do not understand how he opens a shell in notepad or his screenshot. i have 'open' but not 'open with' in the system 32 folder where notepad is
It's because he exploited a vulnerability in notepad that allows him to launch other processes, he used cmd as an example because cmd allows an attacker to do all kinds of stuff.
https://www.technadu.com/microsoft-notepad-vulnerability-remote-shell-access/69357/ says it is unlikely to work "one would have to sit on the target computer and launch the text editing application, so there can’t really be a successful method of remote exploitation."
Not much can be said about it without the details being released, so we'll have to wait. The article writer also quotes others that exploit migitations are hard to bypass, but Ormandy already said he bypassed them.
