It seems a number of media players including Kodi, PopcornTime, Stremio, and VLC, have been prone to malicious ‘attack by subtitles.’ This is based on the latest information coming out of a new report this week from Check Point. In fact, Check Point is considering this to be an extremely important issue with the security-focused company suggesting that as many as 200 million video players and streamers could be prone to the vulnerability, which Check Point notes is an “easily accessed and zero-resistance vulnerability.”
While this is a serious breach in itself, what the Check Point announcement really picks up on is how this is an “overlooked” and relatively simple attack. As such attacks usually rely on the user doing something to initiate the malicious code. In contrast, this attack relies on the code being initialized when subtitles accompanying video content are launched by the media player. The difference being that a user does not need to be tricked into activating a suspicious file or clicking through a link. Starting a video which makes use of subtitles, has the ability in itself to activate the code. The onus on the user’s involvement in this particular technique, is minimal compared to the traditional methods used. Likewise, even anti-virus and other security-driven software might also be prone to overlooking such files due to their generally innocuous nature.
In terms of the effects of falling foul to this technique, Check Point notes that once the code has been initiated, those behind the attack will potentially have the ability to take over the device completely. At which time, Check Point notes the “potential damage the attacker can inflict is endless.” So it is clear that this is a fairly significant and possibly detrimental issue for devices that are prone to the issue. While Check Point has specifically name-dropped the likes of Kodi and VLC, they have only been named due to their large number of users, with Check Point noting that the number of media players affected will be far greater. However, the announcement does also detail that those bigger media player entities are already familiar with the issue, with Kodi, Stremio, and VLC already having released an official fix that is available to download from their respective websites. In terms of PopcornTime, the announcement notes that a fix has been created, although it has yet to be made available to download. Below is a video demonstration of how the attack works.