Subtitle Hack Leaves 200 Million Vulnerable to Remote Code Execution
Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io.
It’s common to see subtitle files (usually a .srt or .sub) included in torrents and other less-than-legal movie downloads, so people tend to simply ignore them. You can load this file into most video players to display subtitles in the chosen language synced to the video. Check Point says that there are roughly 200 million installations of video players vulnerable to this exploit including VLC, Kodi, Popcorn-Time, and Stream.io.
Details can be found here
Solution : Download Subtitle Hack Fix
Check Point researchers contacted the developers of the affected media players in April 2017. Thankfully, the security patches have been released.
In the case of VLC, the attacker can leverage memory corruption bug. The media player had four vulnerabilities (CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313) which have been fixed by VideoLan.
A fix for VLC is available as the latest version 18.104.22.168 which is present on the VideoLan’s website. The same is the case of Stremio.