Part of the job of a security researcher is to identify attacks that may not be in use currently, but can be leveraged for mass damage in the near future. Such is the case with a recent threat report from researchers at Check Point Software Technologies. The report in question details a "proof of concept" subtitle vulnerabilities attack" (aka an attack not found in the wild yet) that threatens roughly 200 million users of streaming platforms like VLC, Kodi (XBMC), Popcorn-Time and strem.io.
The attack in question is carried out by "a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user’s media player." How this works is the threat actor may, as researchers did, send users to a malicious site that asks to download updates to subtitles. These updates in turn are malicious and can leverage the poor coding of the subtitle parsing implementation.
In every version of the streaming platforms affected, the attacker can then gain total control of the infected machine (Smart TV, computer, etc.) and steal or destroy data, or commit countless other malicious actions. The weak security of this particular area, namely subtitle file processing by media players, is what allows for such an easy attack (in comparison to other remote execution flaws out there).
The companies affected by the subtitle vulnerabilities have been working with Check Point to create appropriate patches. As of now, many of these organizations have in fact created patches or are close:
- PopcornTime– has a patch that can be manually downloaded here.
- Kodi– Created a fix in source code form available here.
- VLC– the patch can be downloaded here: here.
- Stremio– the patch is available from the main website.
It is only a matter of time before hackers attempt the attack found in Check Point's report, so users of the aforementioned streaming services would be wise to implement the patches ASAP. This attack is likely to spread to other streaming services, so keep a lookout for patches if your particular service is not listed currently.
Photo credit: Kodi