Enjoy watching foreign films? We have some bad news.
Security researchers have discovered a new attack vector that could allow online miscreants to gain access to your PC, mobile device, and smart TV: malicious subtitles. Researchers from security firm Check Point said "hundreds of millions" of devices running VLC, Kodi, Popcorn Time, and Stremio — four of the most popular media players out there — are at risk.
"Malicious subtitles could be created and delivered to millions of devices automatically, bypassing security software and giving the attacker full control of the infected device and the data it holds," Check Point vulnerability research team leader Omri Herscovici said in a statement.
He went on to say that the subtitle supply chain is "complex," with more than 25 different formats in use, all with unique features. "This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers," Herscovici said.
Subtitles for films and TV shows are created by "a wide range of subtitle writers," who upload them to shared online repositories such as OpenSubtites.org, where the files are indexed and ranked, Check Point explained. Here's the problem: bad actors can manipulate the repositories' ranking algorithm, so that their malicious subtitles are automatically downloaded by media players. This would allow the attacker to "take complete control over the entire subtitle supply chain" with "little or no deliberate action on the part of the user."
Check out Check Point's proof-of-concept video below demonstrating how an attacker could use malicious subtitles to take over your machine.
Check Point said it followed responsible disclosure guidelines and reported the bugs to the developers of the vulnerable media players. Some of the issues have already been fixed while others are still under investigation.
"To protect themselves and minimize the risk of possible attacks, users should ensure they update their streaming players to the latest versions," Herscovici said. PopcornTime has released a new version, which corrects the problem; it can be downloaded here. The latest versions of Kodi, VLC, and Stemio are also officially fixed.
Related
- Speakers Become Latest Threat to Your Digital SecuritySpeakers Become Latest Threat to Your Digital Security
Check Point said there is "reason to believe similar vulnerabilities exist in other media players as well." The company has not yet released full technical details of the flaws to give the developers more time to address the problem.
Part of the issue, Check Point said, is that movie subtitles are often perceived as "nothing more than benign text files."
"This means users, anti-virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk," the company said. Check Point estimates that approximately 200 million video players and streamers currently run the vulnerable software, "making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years."
DJI's tiny new Spark drone weighs less than a soda and can be controlled with your hands.
Audi's concept Android interface is a lot better than what's in most cars these days.
The 'Orange is the New Black' hackers may have taken 36 other shows.
Whether you need subtitles to avoid waking up the kids or you’re awful at understanding regional accents, Plex Media Center makes it easy to download and use subtitles with all your movies and TV shows.
Relax Hackers Can Use Subtitles To Infect Your Devices stories
Emails spoofed to look like they're coming from DocuSign are attempting to trick recipients into opening attached Word documents that contains malware.
Numerous hospitals across Britain were affected by the ransomware, requiring them to shut down their IT systems and turn patients away.
Rather than being malicious, this looks like negligence by developers. What's more concerning it it's been on HP systems since 2015.
The 'highly sophisticated' phishing campaign appears to have hit a number of journalists, along with individuals from other industries.
The malware is currently not detected by security suites and uses a valid Apple developer certificate to infect all versions of Mac OS X.
The practice of intercepting messages between Americans and foreigners that mention a terrorism suspect will end.
In the US, most requests come from search warrants and other court orders, although some are made using secret "national security letters."
Palantir will have to pay back wages and the value of stock options to several Asian candidates it passed over for employment, in addition to re-extending job offers.
The hacking group, known variously as Fancy Bear or Pawn Storm, uses sophisticated phishing attempts and targets victims seen as at odds with Russian interests, Trend Micro reports.
A breach discovered over the weekend may have exposed the messages and content in a small number of HipChat rooms, the company said.
A lawsuit filed yesterday in the Southern District of New York claims that the Windows version of Confide doesn't offer screenshot protection.
By using non-Latin Unicode characters, it's theoretically possible to register a domain name for a phishing website that looks nearly identical to the one it's trying to spoof.
37 restaurants confirmed as having malware installed on point of sale equipment and card details stolen between December and March.
It was meant to be joke malware, but the author managed to infect himself, and the game is impossibly hard.
Tax-themed spam emails increased 6,000 percent from December 2016 to February 2017. Here are some common scams to look out for.
HSBC surveyed 12,000 consumers and found twice as many would trust a robot to perform heart surgery than handle their savings. Is anyone except HSBC surprised?
The next best thing to a fast internet connection: a provider that makes you happy. These ISPs are the best options, according to PCMag readers.
Digits will give every T-Mobile subscriber the ability to check their text messages and voice mails from PCs and Macs
By 2020, Boeing's Phantom Express design is expected to by flying at up to Mach 5 and capable of delivering 3,000 pound payloads to a low Earth orbit for no more than $5 million.
Hey, good morning!
Welcome to hump day, and the Nokia 3310 is back for another round. Meanwhile, we explain why the legal system is ill-prepared for the future...
The AI beats world number one Ke Jie for a second time, sealing a series win.
The Nitro 5 is for casual gamers; the Iconia Tab 10 tablet has four speakers and its own subwoofer.
The second-generation Gogoro Smartscooter promises a smoother, 'virtually unstealable' electric ride.
Acer is going after casual gamers with the Nitro 5.
Intel hopes an open license and built-in CPU support could help its fast Thunderbolt 3 connector.