If there wasn’t enough to worry about already, hackers have now figured out a way to attack computers though the subtitles in videos. The new vulnerability allows remote attackers to take complete control of machines using malicious subtitle files, including those commonly used with video applications and systems such as VLC, Kodi (XBMC), Popcorn-Time, and strem.io.
The problem is so widespread among so many different video playback tools that the number of potentially vulnerable machines could be as high as 200 million worldwide, according to Check Point Software Technologies, the security company whose researchers first discovered the issue.
This particular method of mounting an attack seems especially insidious because it can be executed so easily. Hackers can take complete control over the entire subtitle supply chain without resorting to man-in-the-middle attacks or requiring any user interaction. Other attacks require that hackers intercept network traffic between two parties, convince users to visit malicious Web pages or download malicious code.
That is not the case here. Instead, the attack is launched though the use of a malicious subtitle file, such as a .srt file, crafted by the hacker. The malicious file can then be uploaded to one of a number of free subtitle repositories such as OpenSubtitles.org. Oftentimes, there may be multiple files with different versions of the subtitles stored on the repositories. In that case, the repositories will rank the different files in order of perceived quality.
But the researchers from Check Point found that they were able to manipulate the ranking algorithms used by these repositories, allowing them to ensure that their malicious file would receive the highest ranking. That is important not only because many users rely on those rankings to decide which files to download, but many platforms automatically download subtitle files and use the repositories’…