Users of popular media players such as Kodi, VLC and Popcorn Time are being urgently warned to update their software after it was discovered that hackers could embed hidden computer viruses in the subtitles used by the services.

Discovered by security firm Check Point Security Technologies Ltd., the new attack vector involves hackers crafting malicious files that are downloaded by unsuspecting users who are attempting to add subtitles to the television shows or movies they are watching. Once a device is infected, the hackers behind the virus can take complete control of the device, allowing them to do whatever they want, including stealing sensitive information, installing ransomware, undertaking mass denial of service attacks and more. The forms of virus aren’t exclusive to particular sorts of devices either, with a PC able to be infected along with mobile devices and smart TVs.

“We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years,” the company said in a blog post. According to VLC, 170 million users have downloaded the player since June 2016. Kodi reports more than 40 million unique users of its video software each month.

The problem is exacerbated by each platform using different methods to parse subtitles, most badly coded. “There are dozens of subtitle formats, from SRT, SUB and GSS – and no standards for parsing,” Check Point added. “Each one of the players we looked at uses a homegrown version of a subtitle parsing implementation. And each one of them had a remote code execution flaw.”

Updated versions that patch the vulnerability are available for the VLC player, along with Stream.io. The latest version of Kodi, v17.3, also includes a patch. The administrators behind the software told customers that the “possible vulnerability is only present when you first enable a subtitle download add-on and then actually download zipped subtitles. Any subtitles that you already have as [a] text file, are embedded in the video stream or are included with you DVD or Blu-rays are safe.”

Photo: gruenemann/Flickr