Do you use Kodi or VLC – pieces of open source streaming software which act as a central media center for all your digital files? Then you need to know about a serious vulnerability affecting these media players (and several others), pertaining to the use of subtitles – although the good news is fixes are already available (but of course, they need to be applied or you’re running some big risks).
Security firm Check Point discovered the flaw in Kodi, VLC, Popcorn Time and Stremio (it may be present in other players, too), which involves maliciously altered subtitle files capable of giving an attacker nothing less than complete control over the target device.
Note that simply watching a film with its own subtitles on one of these media players isn’t a problem at all. The risk comes when using downloaded subtitles which are automatically picked up from various online repositories by some media players when you select the language of subtitles you require.
As Check Point notes, the subtitle repositories are treated as a trusted source by the media playing software, and an attacker can insert their own subtitles loaded with malware into these systems.
Worse still, said attacker can potentially manipulate these databases of subtitles to boost their nefarious creation up the rankings, meaning that it’s much more likely to be served to unwitting users.
And a further dollop of nastiness is the fact that these movie subtitle files are seen as simple text files by antivirus solutions, and are therefore able to fly under the radar of security software.
According to Check Point, there are currently no less than 200 million users out there running vulnerable media players.
As mentioned, all the software vendors in question have now fixed the issue, so users need to make sure that their client software is fully up-to-date in order to avoid potential infection.
It is advised to uninstall VLC Media Player as soon as you can and wait for the company to release an updated version of it without the security patch. Alternatives like Kodi and Stremio are now secure with proper security measures added to its system.
Here is a Proof-of-Concept video, demonstrating how an attacker can use malicious subtitles to take over one’s machine.