Light Dark
May 25, 2017 By Shane Schick 2 min read

“Attack Of The Subtitles” may sound like the name of a particularly geeky horror film, but researchers say it’s an actual threat whereby cybercriminals could perform remote code execution and take over entire systems.

Two Thumbs Down

Check Point Security disclosed the vulnerability, which may be running in more than 200 million streaming platforms and video players. The researchers said all it takes is downloading a malicious subtitle text file for cybercriminals to perform remote code execution. They can then launch distributed denial-of-service (DDoS) attacks, steal information or install ransomware, among other things.

The subtitle files in question are usually contained in repositories such as OpenSubtitles.org, where users specifically select them. That means potential victims have essentially opted in to download the malware, Threatpost explained.

Unfortunately, the lack of standardization in the way subtitle files are parsed means remote code execution flaws are incredibly common. Malicious actors could manipulate the ranking algorithm in the repositories to make sure the malicious subtitle files were seen as the most popular choice.

A New Avenue for Remote Code Execution

Forbes pointed out that while the use of subtitles may be somewhat novel, media players make sense as a possible attack vector given how prevalent they are. Smart TVs in particular may become targets for cybercriminals, offering an easy way to spy or collect information while users are innocently enjoying their favorite movies or television shows.

For the moment, there is no evidence that the remote code execution flaws via subtitles are being exploited in the wild. TechCrunch reported that most of the players at risk — including VLC, Popcorn Time, Kodi and Stremio — have released fixes or are being automatically patched. A demo clip of how the attack works, called “Hacked In Translation,” is also circulating on YouTube and can educate people about the potential dangers.

Even with the risk of remote code execution, streaming video isn’t about to die off anytime soon. Digital Trends said the real lesson here is that the simplest pieces of technology we take for granted — like subtitles — are the very thing cybercriminals might turn to their advantage. That’s why the ongoing story of IT security is so gripping: Just when you least expect it, there’s always a plot twist.

 |  | 
Shane Schick
Writer & Editor

More from

April 25, 2024

NIST’s role in the global tech race against AI

4 min read - Last year, the United States Secretary of Commerce announced that the National Institute of Standards and Technology (NIST) has been put in charge of launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology.However, recent budget cuts at NIST, along with a lack of strategy implementation, have called into question the agency’s ability to lead this critical effort. Ultimately, the success…

April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature