Psa Many Major Media Players Vulnerable To Attack Via Malicious Subtitles Files Video

Security researchers have discovered a surprising new way for attackers to gain control of a machine: malicious subtitles. The vulnerability is device-independent, meaning it could be used to gain control of anything from an iPhone to a Mac.

The vulnerability was discovered by Check Point, which describes it as a significant risk.

There is no evidence that this attack vector is yet in active use, but now that the possibility has been disclosed, it’s likely only a matter of time before the bad guys figure out the details and start using it.

Check Point said that the vulnerable code was found in many major media players, including VLC, Kodi, Stremio & PopcornTime. There are fixes available for all but Kodi, where the source code has been fixed but a runtime version is not yet available.

• PopcornTime– Created a Fixed version, however it is not yet available to download in the official website.
• The fixed version can be manually downloaded via the following link: https://ci.popcorntime.sh/job/Popcorn-Time-Desktop/249
• Kodi– Created a fix version, which is currently only available as source code release. This version is not yet available to download in the official site.
• Link to the source code fix is available here: https://github.com/xbmc/xbmc/pull/12024
• VLC– Officially fixed and available to download on their website
• Link: http://get.videolan.org/vlc/2.2.5.1/win32/vlc-2.2.5.1-win32.exe
• Stremio– Officially Fixed and avilable to download on their website
• Link: https://www.strem.io/

The firm has put together a proof of concept based on a Windows machine, but stresses that all devices are vulnerable. While malware remains a relatively small problem for Apple users, it is not a risk which can be completely ignored.