Researchers say popular media players could pose a security risk through their subtitles feature. Several firms have issued or will soon issue a security update.
The issue is with media players that search online for repositories of subtitle files and select the highest rated ones, the idea being to pick the ones with the best transcription (or the most accurate translation.)
Security company Check Point notes two problems here. One is that the rating system can be too easily gamed so that those with malicious intentions can get rogue files to the top of the rankings. The other is that several leading media player apps – and indeed some security software – are effectively set up to assume that a subtitle file is little more than a glorified text file and doesn’t pose any risk.
In fact the researchers say they were able to use rogue subtitle files to exploit vulnerabilities in Kodi, Popcorn Time, Stremio and VLC, in some cases being able to get complete remote access to a computer. The situation is made more complex by the players working with as many as 25 different filetypes for subtitles, making for an inconsistent pattern of vulnerabilities.
Check Point estimates that the affected apps total 200 million installations. That’s somewhat misleading as its likely only a small percentage of people actually use subtitle files.
Understandably Check Point is going into specifics about the vulnerabilities at the moment. It’s been working with the relevant developers. VLC and Stremio have issued new versions with fixes while Popcorn Time has a fix available for manual download from its website. Kodi’s fix is currently only available as source code, with an automated update expected later this week.