A proof of concept attack using malicious video subtitle files reveals how adversaries can execute remote code on PCs, Smart TVs and mobile devices using popular video players and services such as VLC Media Player, Kodi, Stremio and Popcorn Time.
This is a brand new attack vector. We haven’t seen this type of attack yet in the wild. But we believe there are upwards of 200 million video players and streamers vulnerable to this type of attack, said Omri Herscovici, team leader for products research and development at Check Point Software Technologies.
Herscovici said each media player Check Point looked at has a unique vulnerability that allows a remote attacker to ultimately execute code and gain control of the targeted system. With the VLC player, researchers were able to take advantage of a memory corruption vulnerability to gain control of a PC. With other media players and streamers, Check Point said it would not disclose the technical details until software updates were deployed to users.