sb-nz logo
Story image

Hackers target subtitle files in major media players - including VLC

29 May 2017

If you use media players such as VLC, Kodi, Popcorn-Time and strem.io, chances are your device has a vulnerability that allows cyber attackers to create malicious subtitle files, which are then downloaded directly to your media player.

Check Point researchers discovered the vulnerability last week, with estimates that around 200 million video players are at risk. They're calling it one of the most widespread, easily-accessed and zero-resistance vulnerabilities in years.

The attack works by using subtitle databases that are trusted by both users and media players by default. Those databases such as OpenSubtitles.org can also host malicious content, which is then given false trust rankings to boost it to the top of the list. Users just need to download the top results and immediately the payload is delivered as the media player downloads the infected subtitles.

Attackers can then take control of victims' machines, whether that machine is a PC, mobile device or smart TV. They could then install malware, steal sensitive information or conduct mass DoS attacks.

"Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk," Check Point's blog says.

Researchers believe that it shows how flawed media players are when it comes to security and subtitle file processing. Subtitle formats number more than 25, and each format comes with different features. They state that media players often use many different formats to stitch together subtitle files, which means there are massive holes in each kind of software.

Researchers also state that VLC has reached more than 170 million downloads and Kodi (XBMC) has more than 10 million. Potential victims could also in the hundreds of millions if the software isn't patched.

While researchers haven't tested other media players, they suspect similar holes will also exist. Since Check Point disclosed the vulnerabilities, VLC, Kodi, Stremio have made updated versions available on their website. PopcornTime has also created a fixed version.

How does the attack work? Find out more in the video below.

Story image
ThreatQuotient hits $22.5m in new financing, continues growth streak
“Since we first invested in ThreatQuotient in 2017, their team has continued to prove to the market that there is a critical need for cybersecurity solutions aimed at security operations."More
Story image
Gigamon & FireEye tackle security in hybrid cloud environments
The partnership is an extension to a ‘long-standing’ relationship that aims to ‘simplify, secure, and optimise hybrid cloud environments’.More
Story image
Major firms disclose breaches in the wake of SolarWinds attack
Microsoft, Shell, GoDaddy, MobiKwik — these are just some of the high-profile company's on the receiving end of sophisticated attacks, writes Bitglass senior director of marketing Jonathan Andresen.More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More
Story image
Cohesity appoints its very first CISO
In the newly created role, new appointee Brian Spanswick will focus on advancing and optimising IT and security for Cohesity and its customers, the company says.More
Story image
Why a more secure organisation is a collective responsibility
With vast volumes of data moving to the cloud, many IT professionals are frequently challenged to protect their enterprise environment, and there is a greater focus being placed on advancing cybersecurity strategies.More