The Kodi team has just released version 17.2 of their great media player app. They’re still working on the next big release, “Leia” v18, but have release this new intermediate version because it contains an important patch to a security vulnerability that could allow malicious subtitle zip files to access your device.
The subtitle zip file security vulnerability, first discovered by Check Point, can be used to run malicious code on a system. It requires the user to unknowingly load compromised subtitles in a media player, which is not difficult to do since Kodi can access subtitle repositories and download subtitles on the fly. This security hole does not just affect Kodi, but also other popular media players, like VLC, Popcorn Time, and Streamio.
Version 17.2 of Kodi includes a patch for the subtitle vulnerability and also includes other bug fixes. You can download it through Kodi’s website, but the easiest way to update on a Fire TV or Fire TV Stick is to use my Downloader app from the Amazon appstore and enter
Update
11:36am MrMC is not, and has never been, affected by the subtitle security issue. I do not know yet if SPMC is affected, but it’s best to assume it is vulnerable and to be cautious with subtitles.
4:55pm An issue with v17.2 caused add-ons to go missing, so v17.3 has been released with the issue fixed. You can use the short URL
@AFTVnews
AFTVnews
Does this security issue affect SPMC as well?
You would have to contact Kodi
Wouldn’t you have to contact SPMC devs?
What’s the worst somebody can do to the firestick?
The Firestick runs Android, so if the malware writers are taking that into account, it could turn your Firstick into a zombie or worse.
i have 2 rooted fire sticks rooted with kingoroot the other day i went to turn on OTG and i noticed that one of them had lost root it has kodi 16.1 on it
i am baffled as to how it lost root, maybe this has something to do with it because i did not update, updates are blocked
Good to know. I just tried this add-on after updating and it works pretty well. Still getting used to the Kodi interface and not sure why I’d use Kodi over the main interface.
http://forum.kodi.tv/showthread.php?tid=312858
[Image: 5PNp0ybZHw8G9Uejq9dSHNGxITOezOJyifDY3sHp…oaoaQ=w300]
Latest Relase 2017.5.17 Found in The Official Kodi Repo and My repo
*Requires a PS Vue subscription
Features
Timeline
My Shows
Favorite Channels
Live TV
Sports
Kids
Recently Watched
Featured
Supports
Multiple Profiles
2-Step Verification
*Please report any bugs, accompanied by a log file http://kodi.wiki/view/Log_file/Easy
They must of found a new bug since Kodi is up to version 17.3 now.
“Update: Due to packaging issue after release some add-ons like PVR, visualisation and Inputstream are missing. Also on Ubuntu 14.04 an issue came to light. We will release v17.3 as soon as we can to solve this problem.”
https://kodi.tv/article/kodi-v172-minor-bug-fix-and-security-release
Thanks for the heads up! I’ve added an update to the bottom of this post.
np, always happy to share info. At first I was a bit surprised since I was using AppStarter to update & thought it might of been a rogue APK in/thru AppStarter since I had updated another device to 17.2 earlier.
BTW, might be good if you make a guide based on an XPosed Method to get Home button functionality to AppStarter, Kodi or just about any App.
https://forum.xda-developers.com/fire-tv/general/useful-xposed-modules-mod-apps-to-t3380531/post72383584#post72383584
Aliens4U confirm two working Xposed modules. Both with different characteristics.
Would be much better to simply update the original post headline and text to advise on the correct update being 17.3 — and not just leave that as a footnote underneath the now-outdated 17.2 headline and original post text.
I started to download the 17.2 version and only caught the change to 17.3 midway thru the 17.2 download. Having the wrong 17.2 info remain in the headline and main text of your post just creates confusion and the likelihood of wrong installs.
I agree there is definitely confusion, especially if someone doesn’t read the entire post before going to update. I try as much as possible to not edit a post, but instead add to it, so the original stays preserved for those who want to see the update progress. That is why I did it the way I did. I will add an update about 17.3 to the title though, since that should help alleviate confusion.
Thanks. Well-done solution by changing the post’s main headline.
VLC does the actual playing of my local media far better than Kodi in my experience. Kodi stutters, lags, the search isn’t great. Outside of the add ons, at least on my firetv 2, i’ve found kodi just ok.
Really though was this even an issue for those of us not running a Win-Tel x86-64?! I’m probably being ignorant here, but with all my “Playing” Devices being firmly in the ARM camp. Somehow I’m, just not feeling the urgent need to update, as I would say if this were a Windows, or possibly Linux Desktop version.
Does this flaw affect only those who are running Kodi on a computer?
Have updated on FireTV to v 17.2 and then 17.3. With both versions, now when I enter or exit KODI, I get a dialog box stating my connection to the internet has been lost for about 5 seconds, then it comes back again. Anyone else having this issue? Never had it when on Jarvis v 16.2.
Upgraded my FireTV to Kodi 17.3 and got non-responsive add-ons and lots of crashes. Went back to Kodi 17.1 – no more issues. Seems like Kodi 17.3 is a bad release.
MLB … thern on 17.1, you have a security risk!
I am a bit worried to update as it might mess up all my settings favourites and skin settings like amber settings. As anyone tried?
Vinay … when I updated from 16.2 to 17.2 & then 17.3, everything stayed the same, none of my settings, favorites, addons, etc. were lost.
Yes you are right! I upgraded from 16.2 to 17.3 directly and everything seems to be in order. It even fixed some broken add-ons!