Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn

Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle 'attack vector' as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. "By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim's machine, whether it is a PC, a smart TV, or a mobile device," they write.

Re:Plain Text

[squiggleslash]

Not that it changes your question much, but I think a significant number of subtitle systems (I know DVD does this for one) are based on low depth bitmaps, not text. That said, that makes it harder to understand why they'd be so easy to code badly, given bitmaps have an easily calculated maximum size.

Re:Plain Text

Remember, DVD players hit the mass market in 1997. Rendering a font in real-time for each language would have increased the cost of the processor. Compositing could be handled by the same video chipset that handled animated menus.