Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.
[img]https://3.bp..com/-U6RnJ1gUjIg/WSgzg6Qt76I/AAAAAAAABqI/mb-63ixsq_g8A9p6eg0wp92JJyLVhcNWQCK4B/s400/Kodi_hacked.png[/img]

What is the root cause?

The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats. To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities.

[img]https://1.bp..com/-lJS6Ie5meM0/WSgzsjy0FxI/AAAAAAAABqQ/Ab539ZQMRmE43oLHARV6OtUlYdJ0imMdACK4B/s400/hacked%2Bin%2Btranslation.png[/img]

What’s the effect?
Scope: The total number of the affected users is in the hundreds of millions. Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well. VLC has over 170 million downloads of its latest version alone, which was released June 5, 2016. Kodi (XBMC) has reached over 10 million unique users per day, and nearly 40 million unique users each month. No current estimates exist for Popcorn Time usage, but it’s safe to assume that the number is likewise in the millions.

Damage: By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.

GET YOUR MEDIA PLAYERS SECURED HERE: http://www.digitalbog.com/2017/05/Kodi-App-hacked-by-subtitles.html