Your PC can be hacked through subtitle files

Your PC can be hacked through subtitle files

Your PC can be hacked through subtitle files

Check Point pointed out that Kodi has almost 40 million visitors per month, VLC has over 170 million downloads and Popcorn Time likely also has millions of viewers.

"To allow the developers more time to address the vulnerabilities, we've decided not to publish any further technical details at this point", the researchers said.

By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can hope to take complete control of any device running the vulnerable platforms.

If you routinely use one of these popular media players - VLC, Kodi, Popcorn Time and Stremio - please be cautious when you download and install subtitle files from the web.

Check Point estimated that over 200 million people around the world are at risk of the attack, making it one of the most widespread, easily accessed and zero-resistance vulnerabilities reported in recent years. A video of how the attack works can be found below.

Security researchers have discovered a surprising new way for attackers to gain control of a machine: malicious subtitles.

Most of these files are hosted on subtitle repositories where anyone can upload a malicious file. The attackers then manipulate these sites ranking systems to have their poisoned subtitles appear on top of the search results. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.

"The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats".

The biggest step users can take to ensure they aren't vulnerable to being hacked via malicious subtitles for their media player is to ensure they're running the latest version. Worryingly, Check Point claimed it has reason to believe that similar security flaws exist in other streaming media players.

It says that there are over 25 subtitle formats in use, each with unique features and capabilities, along with how the different types of media players make use of these subtitles.

All of the media players and services listed above have updated their software and fixed these exploits (though Kodi is now only available as a source code release). As of this writing, VLC and Popcorn Time have both issued updates that fix the vulnerability, and Kodi and strem.io are said to be working on patches.

Recommended News

  • Soon you will be able to send money form Google Assistant

    Soon you will be able to send money form Google Assistant

    In a blog post, Google confirmed that it would soon allow US users to send or receive payments directly using Google Assistant. Earlier reports said that the company's Android Pay would not just make available on countries, but also in more cities.

    Philippines needs modern arms to fight ISIS, Duterte tells Putin

    The militants had reportedly taken over a medical center and replaced the Philippines flag with a black, ISIS-style banner. Cayetano said he would stay behind in Moscow, where a number of agreements are to be signed between the governments.
    Predators advance to Stanley Cup Final

    Predators advance to Stanley Cup Final

    DEPTH SCORING: Two-way center Ryan Kesler played his usual excellent defensive game, but scored just one goal in 17 playoff games. While Nashville managed 2-0 and 3-1 leads, there was plenty of drama in this one, as the Ducks did not go down easily.
  • Vanity Fair's 'The Last Jedi' photoshoot is full of fascinating new details

    They held a competition to see who could get to a million Twitter followers first. It's not like they would spoil anything right before they release the film.

    Cech: Champions League exile not a problem for Arsenal

    Tomorrow we will think about what to do next season and the pressure will be the same, to try to win. He is not at fault if we did not reach the Champions League tonight", Wenger said.

    Marcus Smart Leads Boston over Cleveland in Game 3

    This year, the Celtics have the first overall pick, and Ainge is certain to once again be active. "There's choices", Stevens said. He scored 11 points total and just three, on 1-of-9 shooting, as the Boston went on a rampage throughout the second half.
  • Irving, James turn the tables on Celtics with comeback of their own

    But now James will have to be tired about taking to the basket and being aggressive knowing that he is in major foul trouble. Cleveland improved to 35-5 against Eastern teams in the playoffs since 2015.
    Trump says Palestinian and Israeli leaders ready to

    Trump says Palestinian and Israeli leaders ready to "reach for peace"

    However, Trump prides himself on his ability to make the best deals, and to succeed in dealmaking where all others fail. The Israeli leader was referring to the reported change in the stance of Sunni Arab states in the Middle East.
    FBI's Russian Federation  probe implicates top White House official

    FBI's Russian Federation probe implicates top White House official

    Kislyak set up the meeting between Kushner and Gorkov, according to a previous report from The Times . The appointment of the special counsel indicates other believe that's still open to question.
  • Senators: Deputy AG knew of Comey firing before writing memo

    The day after the Flynn conversation [between Trump and Comey], Reince Priebus, the White House chief of staff, asked Mr. Trump later said he had already made a decision to dismiss him and was thinking of "this Russian Federation thing".

    Trump pledges to help end Palestinian-Israeli conflict

    The protesters also condemned Trump's inaction on Israel's harsh treatment of Palestinians on hunger strike in Israeli jails. The former was established here under the Barack Obama administration, and the latter under former president George W.
    President Trump delivers remarks at Israel Museum

    President Trump delivers remarks at Israel Museum

    At least 22 people were killed as they exited a concert by the American pop star Ariana Grande at Manchester Arena. But I have a feeling that we're gonna get there eventually.

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.