And now, even movie subtitles can give you malware

Check Point infographic showing how subtitles can deliver malware.

Check Point Software's researchers have discovered malware hiding in movie subtitles which can affect smart TVs, mobile phones, tablets and laptops, especially those which run popular streaming software such as VLC, Kodi (XBMC), Popcorn-Time and strem.io.

Most malware is delivered through tricking users to click on a link or to download software, though malware can also install itself onto devices on a network if one device is affected, as with WannaCry. What Check Point has discovered is a completely new way to deliver malware, however.

According to the security company, streaming platforms typically allow subtitles to load automatically, and hackers can manipulate subtitle libraries (which is software) to load malicious
subtitles instead of the legitimate ones. The malware can subsequently allow hackers to take over the entire device. This has serious ramifications as video content now accounts for about 70% of the consumption of end-users, Check Point said in a blog post.

"We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years," the researchers said. "This method requires little or no deliberate action on the part of the user, making it all the more dangerous."

Check Point notes that media players do not usually take security into account when they process subtitle files. There are a large number of completely different subtitle formats to consider as well - over 25 of them. "Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities," the researchers stated in the post.

As of 23 May, the status of subtitle security from four vendors for which Check Point discovered the vulnerability is as follows. Check Point believes that other vendors may also suffer from similar vulnerabilities:

PopcornTime– Created a fixed version, but it is not yet available to download in the official website.
The fixed version can be manually downloaded via the following link: https://ci.popcorntime.sh/job/Popcorn-Time-Desktop/249

Kodi– Officialy fixed and available to download on their website

VLC– Officially fixed and available to download on their website

Stremio– Officially Fixed and available to download on their website

Interested?

Read the blog post at Check Point Software

posted from Bloggeroid