The Devil’s in the Subtitles
Widespread malware affecting media players
On May 23rd, 2017, Checkpoint found a vulnerability in four popular media players that use a new attack vector by creating malicious subtitle files to infect computers, smartphones, and smart TVs. Once the files are downloaded, an attacker can potentially take complete control over the device. Over 200 million devices currently run this type of software across the world and are vulnerable to this attack.
This attack has a high likelihood of success due to the fact that subtitle repositories, such as OpenSubtitles.org, are typically seen as trusted sources by a user, or a user’s media player where subtitles are indexed and ranked. The subtitle supply train uses over 25 different formats with each one having its own unique features and capabilities. This fragmentation coupled with limited security means that there are multiple vulnerabilities that can be exploited.
How does it work?
The attackers are able to manipulate these repositories to give the malicious subtitles a higher score. Raising the scores can increase the likelihood that compromised subtitles are chosen by the user. This exploit requires little to no user interaction in order to be successful.
Current methods of endpoint protection treat subtitles as benign text files which means security firms, users and anti-virus software agents authorize them without assessing their real nature. This allows the malicious code to be undetected by standard security protocols.
Attackers exploiting this vulnerability are then able to do various amounts of damage. Potential impact can include but is not limited to:
- Theft of sensitive data
- Personal Identifiable Information (PII)
- Financial information
- Usernames and passwords
- Ransomware
- Distributed Denial of Service activity
What Can Be Done About It?
Checkpoint has notified the developers of each application to the recent vulnerabilities. Each one has reported they patched the flaws and advise users to update their media players as soon as possible.
At this time, it is recommended to download the patches. As more information is gathered around this type of exploit we will update our blog with further details.
Technical Details
Vulnerable Platforms and Updates:
- PopcornTime – Software to watch Movies and TV shows instantly
- VLC – VideoLAN Media Player
- Kodi (XBMC) – Open-Source Media Software
- Link to the source code fix is available here: https://github.com/xbmc/xbmc/pull/12024
- Stremio – Video Streaming App for Videos, Movies, TV series, and TV channels
The following links contain information about the exploit and fixes:
- Checkpoint Write-Up
- The Hacker News
Stay Connected on Today’s Cyber Threat Landscape
RELATED RESOURCES
- Customer Stories
H.I.G. Capital Achieves Efficient Alert Triage and a Stronger Security Posture with CRITICALSTART® MDR and Managed SIEM
Explore how H.I.G. Capital overcame the challenge of overwhelming false positives and inefficient al... - Customer Stories
CRITICALSTART® MDR Frees Up Team Resources, Improves Security Outcomes for Oil States International
Discover how Oil States International improved their security posture, reduced operational costs, an... - Webinar
Confronting the Invisible: Tactics to Mitigate Security Gaps in Modern Threat Response
It’s an unfortunate reality — cybersecurity professionals face threats they often can’t see. F...
RESOURCE CATEGORIES
- Buyer's Guides(1)
- Consumer Education(40)
- Consumer Stories(2)
- Cybersecurity Consulting(7)
- Data Breaches(15)
- Data Privacy(43)
- Incident Response(2)
- Interview(51)
- MDR Services(77)
- MobileSOC(9)
- News(5)
- Press Release(96)
- Research Report(11)
- Security Assessments(4)
- Thought Leadership(19)
- Threat Hunting(3)
- Video(1)
- Vulnerability Disclosure(1)