- There are over 25 subtitle formats in use, each with unique features and capabilities.
- Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience.
- The fragmented software can lead to numerous distinct vulnerabilities.
According to a report by Check Point, hackers can use malicious subtitles to gain access of your PC. Subtitles are available in a wide number of formats. The new vulnerability shows that hackers can gain access of your PC as soon as you load these subtitles, be it PC, Smart TV or a mobile device. Check Point explains that the attack vector relies on the poor state of security in the way media players process subtitle files and the large number of subtitle formats.
"To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, these results in numerous distinct vulnerabilities," it writes in a blogpost.
It has also posted a proof-of-concept video demonstrating how an attacker can use malicious subtitles to take over your machine:
Media players such as VLC, Popcorn Time, Kodi and Stremio have been listed. In India, VLC is among the popular media players and this could be a cause of worry. "There are a number of shared online repositories, such as OpenSubtitles.org, that index and rank movie subtitles. Some media players download subtitles automatically; these repositories hold extensive potential for attackers," the blogpost further explains.
Video credit: Check Point
Last Updated 31, Mar 2018, 7:01 PM