Researchers at Check Point Software Technologies discovered a flaw in media player subtitles, that could leave millions of user machines vulnerable to complete takeover. According to the report, some media players, including VLC, Popcorn Time, Stremio, and VLC are vulnerable to an attack that involves movie or video subtitles. If you went by the downloads of the players, the number of affected machines ranges in couple hundred million. Although according to an interview in eWEEK with Omri Herscovici of Check Point, the attack has not been seen in the wild.
“We have done extensive analysis of millions of public subtitles and as far as we can tell this attack has not been used by anyone yet,” – Omri Herscovici
So, how does it work?
Say you had one of the affected players, could be in your Smart TV or in another device, and you wanted to watch a movie that was in a different language, or you just wanted to watch with the subtitles on. The media player would attempt to download the subtitles from a third party. These files are normally just simple text files and automatically downloaded and run by the player, with no oversight from antivirus software. Flaws in the player software could allow for a malicious subtitle file to gain access to the host system through the players permissions. The researchers found that an attacker could create a malicious subtitle file within a third party repository and hence if that file or files were chosen by the player, a successful attack could easily occur.
Check Point has disclosed all the findings to the appropriate vendors and patches have been released. So the best advice we have is; Go update your media players.