In recent years, streaming software such as Kodi, Strem.io, Butter Project, and Popcorn Time have become enormously popular. They allow millions of people to stream all manner of content, including vast amounts of pirated TV shows and movies.

Now, researchers at cybersecurity firm Check Point have revealed that a vulnerability in those popular players – including the enormously popular media player VLC – allows malware to be injected onto people’s devices via malicious subtitle files.

The previously unnoticed vulnerability has already been revealed to those firms, and fixes have either been issued or are in the pipeline. According to researchers at Check Point (who found the vulnerability last week), approximately 200 million devices are at risk from the subtitle zero-day.

Attack Vector

The vast majority of subtitle files are harmless. However, many players give their users the choice of a range of subtitle languages. They do this by accessing third party subtitle databases. It is believed that hackers have been hiding malicious code within subtitles for popular streams among those third party databases.

For people who accidentally download infected subtitles, the result is malware penetration that gives hackers access to the devices on which the media player resides. Check Point has explained that, because of the easily exploited nature of the vulnerability, it is possible that this is one of the most widespread exploits discovered in recent years.

“Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user’s media player.”

Some of the databases that have been used by hackers to spread malware include OpenSubtitles.org. That website uses trust rankings in order to help people know whether the subtitles are any good. According to Check Point, it would appear that the devious hackers have falsified those scores in order to put the infected subtitles at the top of the list. This has resulted in a hugely successful malware campaign.

Total Control

Once the malware has penetrated the victim’s device, hackers can access their sensitive data and gain the ability to use the device to launch denial of service (DoS) attacks. Among the devices that hackers have penetrated are millions of PCs, tablets, laptops, set-top boxes, and smart TVs. This is what Check Point had to say about the cyberattack:

“Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk.”

Massive Vulnerability

At times the payload was hidden within subtitles that are automatically downloaded with the video stream. On these occasions, users were inevitably infected with the malware. The vulnerability demonstrates that the way in which subtitles are sourced by media players has been putting a hole in people’s systems, creating an easily exploitable backdoor. Check Point states,

“The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats.”

There are over 25 different formats for subtitle files, and media players like VLC are especially loved because they feature all the codec needed to view those files. Due to the fact that those are just text files, until now they were thought to be benign. However, it has become clear that the ability to play many different subtitle files (and at times even stitch a number of formats together) has created a security nightmare.

While Kodi has been receiving a lot of press recently (for been outlawed by the EU’s highest court), that highly popular player is only believed to be used by around 10 million people. The open source VLC media player, on the other hand, has been around since 2001, and is believed to have been downloaded in excess of 170 million times. As such it is possible that hundreds of millions of people were affected by the flaw.

The Kodi team has already stated that it is aware of the problem and has promised that the 17.2 update for the player will have completely patched up the exploit. The developer of VLC, VideoLAN, has already patched up the vulnerability and doesn’t believe it is exploitable anymore. This is what the firm had to say:

“The VLC bug is not exploitable. The first big issue was fixed in 2.2.5. There are 2 other small issues, that will be fixed in 2.2.6.”

Popcorn Time developers also released a fix shortly after the Check Point announcement (version 0.3.11). In addition, the firm said it will be working closely with the subtitle database (OpenSubtitles) that it leverages in order to eradicate as many infected subtitle files as possible.

Check Point believes that there are still more players on the market that have not fixed the vulnerability. For that reason, the firm has not published any more details about the vulnerability. The fear is that hackers could take advantage of the zero-day exploit should Check Point explain how it works:

“Some of the issues were already fixed, while others are still under investigation. To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point.”

If you are concerned about your media player, make sure that you have downloaded the most recent update for it. If in doubt, go to the developer’s website to see if they have issued a recent update. If you can’t find one and are still concerned, it is worth looking on their forums for an answer (or simply send them an email with your concerns).



BestVPN