Put down the popcorn and patch your media player

Researchers have uncovered an alarming “zero resistance” security hole in the way several popular media players handle film subtitles that could allow attackers to take full control of a user’s computer.

Subtitle files, which exist in any one of a surprising mess of 25 different formats, are normally loaded as a convenience for the hearing impaired or because the film was made in another language from the watcher.

The discovery by Check Point is that these apparently harmless text files nobody has paid any attention to can be used to hide malicious content.

All attackers would have to do is get a player application to pick up their subtitle file, which could be achieved by sneakily bumping it up the list of files held in popular open-source repositories.

Lo and behold, the known affected players – VLC, Kodi (formely XMBC), Popcorn Time and Stremio – treat these subtitle files as trusted content and use them, no questions asked.

In fact, this is not a vulnerability so much as a new class of vulnerability that affects one type of software with the same results – the user is pwned without doing anything, hence the “zero resistance” moniker.

Media players have been a rich hunting ground for security researchers and attackers over the years, but finding a fundamental issue affecting several products at the same time is highly unusual.

Let’s untangle the good from the bad. The fact researchers discovered the issue before attackers exploited it is a thumbs-up. It’s also positive that it’s been disclosed and patched on all four players cited:

VLC: fixed and available to download.

Kodi: fixed and available for download.

Stremio: fixed and available to download.

Popcorn Time: fixed and available to download manually.

Now for a less positive view. First, if your favourite media player isn’t one mentioned above, don’t assume it’s not affected. Say the researchers:

We have reason to believe similar vulnerabilities exist in other media players as well.

We could also complain about the fact that while the weakness doesn’t appear to have been exploited in real-world attacks, that such a glaring problem exists under everyone’s noses is wearying.

But the immediate concern is that the hundreds of millions of software players need to be updated before cybercriminals work out how to exploit the weakness. The description of the technique on Check Point’s website is vague, but that’s not an indefinite defence.

How quickly this updating will happen isn’t clear because the process varies from product to product and platform to platform. In most cases, it will require manual updating and that inevitably means some won’t receive it for a while – or ever.

It’s not clear whether mobile platforms such as Android are as badly affected as, say, Windows, but it’s safer to assume that the compromise could potentially be tweaked to work across different operating systems.

Our advice is to update any media player on any platform ASAP. The next time you play a movie on any device, make sure cybercriminals aren’t playing you.