Kodi, VLC and other media players are open to malware attack via subtitles

Do you use Kodi or VLC – pieces of open source streaming software which act as a central media center for all your digital files? Then you need to know about a serious vulnerability affecting these media players (and several others), pertaining to the use of subtitles – although the good news is fixes are already available (but of course, they need to be applied or you’re running some big risks).

Security firm Check Point discovered the flaw in Kodi, VLC, Popcorn Time and Stremio (it may be present in other players, too), which involves maliciously altered subtitle files capable of giving an attacker nothing less than complete control over the target device.

Note that simply watching a film with its own subtitles on one of these media players isn’t a problem at all. The risk comes when using downloaded subtitles which are automatically picked up from various online repositories by some media players when you select the language of subtitles you require.

As Check Point notes, the subtitle repositories are treated as a trusted source by the media playing software, and an attacker can insert their own subtitles loaded with malware into these systems.

Worse still, said attacker can potentially manipulate these databases of subtitles to boost their nefarious creation up the rankings, meaning that it’s much more likely to be served to unwitting users.

And a further dollop of nastiness is the fact that these movie subtitle files are seen as simple text files by antivirus solutions, and are therefore able to fly under the radar of security software.

Media-playing millions

According to Check Point, there are currently no less than 200 million users out there running vulnerable media players.

As mentioned, all the software vendors in question have now fixed the issue, so users need to make sure that their client software is fully up-to-date in order to avoid potential infection.

Kodi’s latest version 17.2 has the fix incorporated, with any previous versions vulnerable to exploit – you can grab the new client here.

VLC has a new and fixed version of its software here, and Stremio offers a fixed client on its website.

Popcorn Time has apparently produced a fixed version, but you can’t yet download it from the official website – although as Check Point observes, there’s a manual download link here which can be used for the time being.

If you’re not running the fully updated versions of these players, obviously you should steer well clear of using downloaded subtitles until you can grab the new clients.

Finally, it’s also worth bearing in mind that other media players could potentially be affected, so a degree of caution might be a good idea on all fronts; and updating to the latest version of whatever you’re using to play movies or music certainly won’t hurt.

Via: Gizmodo