Update your media players now!
Update your media players now!
Security scientists at Check Point Software Technologies have discovered a whole new vulnerability in the way media players handle subtitle files, which can give an attacker full control over your computer.
Malicious subtitles bounce the machine
Custom subtitle files are treated as privileged processes by several major well-known media players, and hackers can exploit this vulnerability.
The attack occurs shortly after loading a malicious subtitle file, thus giving the attacker full control of the victim's machine.
Ready for antivirus
- Unlike other attack vectors like security companies and users familiar with, subtitles for movies are treated as harmless text files, Check Point writes on their webpages. - This means that users, antivirus and other security solutions will let them go without assessing whether they are dangerous or not, causing millions of users to be at risk.
The media players that Check Point has tested the vulnerability of include VLC, Kodi, Popcorn-time and Strem.io - all of which have come with updates for vulnerability.
Together, these media players have over 200 million users, all of whom are exposed to risk from malicious subtitles until users update their player.
These players are up to date:
- PopcornTime has created a fixed version but has not released it on the official website yet. The fix version can be downloaded manually here.
- Kodi has created a fixed version v17.2 available for download on their website. You can download the new version here.
- VLC has made an official fix version available for download on their website. It can also be downloaded here.
- Stremio has created a fixed version available for download from their website at strem.io.
Here you can see a video of how the attack occurs: