Yesterday, news was circulating that malicious code in subtitle files was able to be executed in order to take over a device. Researchers at Check Point who discovered the attack said popular apps like VLC, Kodi, Popcorn Time and Stremio were affected by the exploit. Kodi has now been patched in the latest 17.2 security release.
In a blog post, Marijn Kaijser from Kodi, said:
“When Check Point researchers uncovered this flaw they contact us up front to [let] us know about this flaw. Our developers fixed this [security] gap and have added the fix to this v17.2 release. As such, we highly encourage all users to install this latest version! Any previous Kodi version will not get any security patch. We have [begun] the roll our of this version and Android Play Store as well as Windows Store have this update pending and will roll out as soon as possible. Pleases be patient if you are using these store versions. Our official download page, of course, has the regular install files available for the supported platform.”
The full list of fixes in this release includes:
- Fix selection after channel group switching in PVR guide window
- Fix handling of gaps that caused erratic behaviour in EPG grid
- Allow backing out of full screen pictures by mapping long press gesture
- Quick fix for wake up command not being called in PVR power management
- Use alternative method to check if platform updates have been installed on Windows
- [Support for macOS 10.8+, previous versions no longer supported]
- Fix possible security flaw which could abuse zip files which try to traverse to a parent directory
- Use the correct ttc font from the video file for subtitles on Windows
- Detect and delete zero-byte database files which causes crashes
Kodi 17.2 is just a security release and therefore doesn't include any new features, but if you’ve been noticing any stability issues, they could be resolved now.