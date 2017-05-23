News

Malicious subtitles in popular media players could lead to remote compromise

Media software from VLC, Kodi, Popcorn Time, and Stremio are vulnerable, researchers say

Senior Staff Writer, CSO |

vlc
Credit: download.net.pl
More like this

Researchers at Check Point have discovered a flaw affecting several popular media players, stemming from how they process subtitles. If exploited, an attacker could gain remote access to the victim's system.

It's estimated that nearly 200 million video players and streaming apps use the vulnerable software.

Check Point says the vulnerable versions of VLC, Kodi, Popcorn Time, and Stremio have been downloaded more than 220 million times. All an attacker has to do is develop malicious subtitles, which are then downloaded to the user via the video player.

"The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats. To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities," Check Point explained.

"Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities."

Check Point researchers found that malicious subtitles could be developed and shared to online repositories, such as OpenSubtitles.org. By gaming the ranking algorithm on these repositories, the attacker's subtitles are selected as the best option and automatically downloaded.

The researchers created a proof-of-concept video outlining an attack, but will not release additional details out of an abundance of caution.

Stremio and VLC have released new versions of their media player in order to address the vulnerabilities. Kodi and Popcorn Time also fixed the flaws.

"We have reason to believe similar vulnerabilities exist in other media players as well. We followed the responsible disclosure guidelines and reported all vulnerabilities and exploits to the developers of the vulnerable media players," Check Point said in a blog post shared with CSO Online.

"Some of the issues were already fixed, while others are still under investigation. To allow the developers more time to address the vulnerabilities, we've decided not to publish any further technical details at this point."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Related:

Steve Ragan is senior staff writer at CSO. Prior to joining the journalism world in 2005, Steve spent 15 years as a freelance IT contractor focused on infrastructure management and security.

Healthcare records for sale on Dark Web
You Might Like
Most Popular
cable modem
53% off Linksys Cable Modem for Comcast, Eliminate Rental Fees - Deal Alert

If you have broadband internet from Comcast or similar providers, you're probably paying a monthly fee...

3 keychain keys
Outsourcing security: Would you turn over the keys to a third party?

Years ago it would have been unthinkable to give up control to securing your most valuable assets. But...

crying whining baby after tantrum
WannaCry fallout -- the worst is yet to come, experts say

The massive scale of the recent WannaCry ransomware attack has exposed some significant weaknesses in...

BrandPosts
Learn more
Popular Resources
Featured Stories
tatu ylonen
Unmanaged, orphaned SSH keys remain a serious enterprise risk

phishing threat
Be wary of fake WannaCry fixes

When the WannaCry malware hit, many users were scrambling for fixes -- but some of the proffered...

3 auditors
The most common errors identified in professional DNS audits

Chris Roosenraad, director of DNS Services at Neustar, shares some of the most common errors observed...

pacman
25% off Pac-Man Connect and Play With 12 Classic Games - Deal Alert

Father's Day idea? Bandai's Pac-Man "Connect and Play" brings back favorite classic video games right...