Security firm Check Point researchers revealed a new attack vector threatening millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio.
By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms.
Check Point responsibly disclosed the vulnerability to the impacted media players including VLC, Kodi (XBMC), Popcorn Time and Stremio, and updated players are now available. VLC in particular is a widely used open-source media player that has over 170 million downloads on Windows alone. Media players are also widely used in smart TV platforms and other streaming media devices, with the total number of impacted devices estimated to be 200 million by Check Point.
The attack is one whereby the vulnerable media player loads a subtitle from a third party resource, to provide a language translation for the user. According to Check Point, subtitles are treated as a trusted source by the media player and are often just text files, which are overlooked by common security tools including anti-virus technologies.
Since the vulnerabilities were disclosed, all four companies have fixed the reported issues. Stremio and VLC have also released new software versions incorporating this fix.
“To protect themselves and minimize the risk of possible attacks, users should ensure they update their streaming players to the latest versions,” concluded Herscovici.