Malicious Subtitles Allow Hackers to Take Over One’s PC

Finger Press Cyber Security Keypad

A security firm discovered that hackers are using malicious subtitle files to exploit vulnerabilities and take control over a user’s PC and other devices.

An Israeli cyber security firm known as Check Point has unearthed vulnerabilities present in a number of popular video players, which allows hackers to parse subtitle files laced with malicious code that can be executed to take over the entire device.

The recent publications are only partial, according to the cyber security firm, but so far it is evident that these vulnerabilities could affect hundreds of millions of users across different devices.

Certain Subtitles Offer Inconspicuous Cover for Malicious Code

The report documents that the vulnerabilities, which are present in more than one popular media player, allow attackers to create files laced with malicious code.

Once loaded within media players with certain vulnerabilities, the malicious code contained within the subtitle files can be executed to give the hacker control over the device.

The security researchers attached a YouTube video demonstration of how the maliciously crafted files executed code that gave the attacker complete control over the device using the vulnerabilities within the media player.

VLC Among Top Platforms Affected

The partial report from the cyber security firm revealed that a number of popular media players were vulnerable to this new attack vector. The vulnerability is apparently present in applications across all devices (PC, mobile, smart TV, etc.).

These vulnerabilities considered zero-resistance because they possess the covert ability to bypass all installed security measures to give the author of the malicious code free reign over the infected device, including granting them full access to the user’s private data.

The vulnerabilities are said to allow hackers to gain unauthorized access to the device shortly after the malicious file is parsed, but before the actual subtitles are displayed on the screen.

The list included big names such as popular playback software VLC and PopcornTime, and streaming software such as Stremio and Kodi.

The researchers also suspected that these vulnerabilities are present in a number of other media players that support subtitles, although they have yet to test the specific applications.

Zero-Resistance Vulnerabilities Puts Hundreds of Millions at Risk

According to the partial report from Check Point, an estimated 200 million media players and streaming software could still have vulnerabilities at risk to this attack vector, giving it enough potential to be one of the most far-reaching attack vectors to be reported in recent years.

The security research team also raised concerned over a number of variables that could further exacerbate not only the reach but also the impact of the zero-resistant vulnerabilities.

The first and most significant factor was the generally insecure availability of subtitles that are downloaded off the internet. The fact that the majority of these are hosted on repositories makes it easy for attackers to create and spread poisoned subtitle files to unsuspecting users from all over the internet.

What’s more, the popularity algorithms that make certain subtitles more popular than others can easily be falsified to trick people into downloading files that contain malicious code.

Manipulating these popularity algorithms, according to Check Point, also makes streaming software prioritize malicious subtitle files before allowing legitimate ones.

mobile phone with vlc app open

Media Players such as VLC have addressed this issues

Caution Advised to Users

Security researchers from Check Point have advised media player users to refrain from downloading untrusted subtitle files altogether until their preferred video player receives an update to patch the vulnerabilities.

As of writing, PopcornTime, VLC, Stremio and Kodi have already rolled out new updates addressing the vulnerabilities succinctly.

A new, fixed version of Kodi has been produced by the company, ready for users to download and update their systems. Stremio also fixed the vulnerability, and is offering a new version on its site as well.

And the patched VLC player version is available here, and PopcornTime’s patched update can be downloaded from here.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.