Researchers at Check Point have discovered a flaw affecting several popular media players, stemming from how they process subtitles. If exploited, an attacker could gain remote access to the victim’s system.
It’s estimated that nearly 200 million video players and streaming apps use the vulnerable software.
Check Point says the vulnerable versions of VLC, Kodi, Popcorn Time, and Stremio have been downloaded more than 220 million times. All an attacker has to do is develop malicious subtitles, which are then downloaded to the user via the video player.
“The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats. To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities,” Check Point explained.