Check Point researchers have discovered a new attack vector that could allow hackers to create malicious subtitles to target users of popular media platforms to gain complete control of users’ PCs, mobiles, and smart TVs.
Check Point security researchers have revealed a new attack vector threatening hundreds of millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By crafting malicious subtitles, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms.
“The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities,” said Omri Herscovici, vulnerability research team leader at Check Point. “This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers. We have now discovered malicious subtitles could be created and delivered to millions of devices automatically, bypassing security software and giving the attacker full control of the infected device and the data it holds.”
Check Point’s research team tested and found vulnerabilities in four of the most popular media players: VLC, Kodi, Popcorn Time and Stremio, and followed responsible disclosure guidelines to report the vulnerabilities. By exploiting vulnerabilities in these platforms, hackers were able to use the malicious files to take over the devices playing the media.
The subtitles for films or TV shows are created by a wide range of subtitle writers, and uploaded to shared online repositories, such as OpenSubtitles.org, where they are indexed and ranked. Check Point researchers also demonstrated that by manipulating the repositories’ ranking algorithm, malicious subtitles can be automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain without user interaction.
Since the vulnerabilities were disclosed, all four companies have fixed the reported issues. Stremio and VLC have also released new software versions incorporating this fix. “To protect themselves and minimize the risk of possible attacks, users should ensure they update their streaming players to the latest versions,” concluded Herscovici.
VLC has over 170 million downloads of its latest version, released June 5, 2016. Kodi (XBMC) has reached over 10 million unique users per day, and nearly 40 million unique users per month. No current estimates exist for Popcorn Time usage, but it is estimated to be tens of millions. Check Point has reason to believe similar vulnerabilities exist in other streaming media players.
Nintendo announces Stranger Things 3 game
The Netflix Original show is set to launch a retro-style game on the Nintendo Switch.
In collaboration with Netflix, developer BonusXP has created Stranger Things 3: The Game. It is the official companion game to Season 3 of the hit original series. The game and latest season are expected to launch on US Independence Day, the 4th of July, a date that will, of course, stick in American gamers’ memories.
This adventure game blends a distinctively retro 16-bit art style, reminiscent of games from the time when the series was set. It is claimed to have modern gameplay mechanics to deliver nostalgic fun with a fresh new twist. Players will be able to experience their favourite show through a mix of exploration, puzzles, and combat.
Just ad in the show, teamwork is at the heart of Stranger Things 3: The Game. Players can team up in a two-player local co-operative, or in single player mode alongside an AI partner. Players can choose to play as one of twelve characters from the show, each with different abilities and attributes. Together, they’ll play through familiar events from the series, while also uncovering never-before-seen Stranger Things secrets, ensuring a fun experience for those new to the world of Stranger Things as well as for those familiar with the series.
- Experience the show in a new way, exploring the eerie world of Hawkins to uncover new mysteries beyond what’s seen in Season 3.
- Jump right into the action of this pick-up-and-play adventure: gameplay mechanics that allow players from beginner to advanced skill levels to get in on the fun.
- Take your game to a higher level by trying out different character combinations and collecting all the secrets the expansive world of Hawkins has to offer.
- Team up with a friend, leveraging drop-in/drop-out local co-op to take on the mysterious monsters of Hawkins together. While playing solo, use a collection of “buddy commands” to control both characters and still experience all the fun.
- Choose from 12 playable characters, each with their own unique talents and stats.
New AirPods and iMac in iStore this weekend
iStore has announced availability of the new second generation AirPods and iMac, unveiled this week, in store this weekend.
“AirPods revolutionised the wireless audio experience with a breakthrough design and the new AirPods build on the magical experience customers love,” said iStore in its announcement. “The new Apple-designed H1 chip, developed specifically for headphones, delivers performance efficiencies, faster connect times, more talk time and the convenience of hands-free ‘Hey Siri’.”
AirPods come with either a standard charging case or a new wireless charging case that works with Qi standard chargers. The wireless charging case can be ordered for R3 699. The case can be used with the first or second generation AirPods.
The iMac line now has up to 8-core Intel 9th-generation processors and powerful Vega graphics options, delivering dramatic increases in both compute and graphics performance. The new iMac is faster for everyday tasks, up to demanding pro workloads. It includes retina display, all-in-one design, quiet operation, fast storage and memory, modern connectivity and macOS Mojave.