A security vulnerability in the way that popular video players like VLC and Kodi load third-party subtitles has been brought to light by Israeli security firm Check Point. The firm points out that malicious subtitles could run code on a PC, essentially giving attackers full access.
Check Point specifically called out Kodi, VLC, Popcorn Time and strem.io as being vulnerable to this type of attack, though it's possible that other video-playing software that uses third-party subtitles may also be affected. As of this writing, VLC and Strem.io have both issued updates that fix the vulnerability, and Kodi and Popcorn Time are said to be working on patches.
In a video, Check Point demonstrated the vulnerability in Popcorn Time and Kodi, taking over users' computers when they launched the subtitles.
The malicious subtitles are likely to come from online repositories that allow public submissions, making it possible for anyone to put malicious files up for public consumption. While many of these repositories may be used by pirates, users who are digitizing their own media (a legal gray area) may also go searching for subtitles in various languages.
The research team at Check Point suggests that as many as 200 million users may be vulnerable to the attack. To protect yourself, update your video software. If you're not sure whether or not your player has been updated, don't use it or load subtitles until it's been patched.