Remote Code Execution Vulnerability In VLC Media Player
The cyber security and research firm Check Point on May 23, 2017, reported the discovery of a hack that left 200 million users of multimedia streaming applications vulnerable to attackers. The hack affects popular media players VLC Media Player, Kodi, Popcorn Time and Stremio. While these are the services that Check Point analyzed, the prevalence of the vulnerability suggests that its reach may go beyond just these media players.
The vulnerability targeted users downloading subtitles from subtitle services. The attackers were able to plant corrupted subtitle files. The hack begins when a user downloads the corrupt subtitle file for a movie onto their computer. The attackers are then able to take over control of a user’s computer and could do everything from locking the user out to corrupting the user’s data on the hard drive.
The scale of the vulnerability demands the attention of users, especially those with affected versions of the media player software. While some of the software vendors have rushed to release patches to address the vulnerability, end users need to upgrade to the latest available versions to avail themselves of the fixes. In case an attacker exploits this remote code execution vulnerability on a user’s computer, the user can entirely lose control over their personal computer.
Vulnerability Exploited Via Manipulated Subtitles
In order to spread the executable malware onto users’ devices, the VLC hackers packaged up the corrupted files in subtitle files for media players. To normal users, these files look like harmless subtitle files. A user can download these files manually when looking for a subtitle file for a movie. Alternatively, some media players are set to download the subtitle automatically when the movie begins playing. When the user downloads the file, however, it comes with the hackers’ exploit, enabling the hacker to take over the computer.
Subtitle files face little scrutiny in the world of media streaming, and most users would never think of them as the source of an attack. Video players, in another oversight, trust the files that get provided as subtitle text files. All of the media players that Check Point analyzed, face vulnerability to attacks that deliver malign instructions via a subtitle text file.
Part of the problem with the media players is due to the fragmented nature of the subtitle formats. Subtitles for movies come in a variety of formats, like SRT, SBV, SCC, STL, and multiple others. Parsing these different formats is a nightmare, and media player-programmers take different approaches to ensure that whatever file a user provides can play. The lack of a standard makes it harder to implement or enforce security protocols to avoid problems such as the remote code execution vulnerability.
What made the situation worse is that attackers are able to manipulate the subtitle text file rankings on subtitle-download websites like OpenSubtitles. Once a hacker is able to dominate the entire subtitle value chain, they can feed users an infected subtitle file, and also ensure that that file stays high in the ranks. This perpetuates the reach of the bad file, since ranking depends on existing downloads, with the more popular downloads being preferred by the media player software.
A History Of Remote Code Execution Exploitation
There have been many notable examples of remote code execution hacks in the past, showing the seriousness of this line of cyber attack.
VLC Media Player, for example, has a history of remote code execution vulnerabilities dating as far back as 2008.
In 2014, Brazilian hacker Reginaldo Silva found a remote code execution vulnerability in Facebook. This vulnerability was related to Facebook’s processing of XML entities related to OpenID.
OpenID allows users to log into popular accounts using credentials from providers like Facebook and Google.
Facebook’s Bug Bounty program classifies remote code execution flaws as the most serious type of flaw to have since a hacker can do a ton of damage if they are able to run malicious code on Facebook’s servers.
Silva also discovered similar remote code execution flaws affecting Google and StackOverflow, as well as many software libraries in the programming languages Java, C#, Ruby, Python, Perl, and others.
In 2015, Patreon got hacked due to what may have been a remote code execution flaw in a public debugger they were using. Of the nature of the flaw in the software being used by Patreon, the Detectify Labs writeup on the hack said,
“This is basically Remote Code Execution by design.
An RCE is basically game over. You can inject code directly into the application, exposing all data on the server which the application has access to.”
The seriousness of this type of hack means that a hacker has control to steal or manipulate data, including user data or financial details, or do a lot more damage than that.
More recently, Facebook paid out $40,000 in January 2017 to hacker Andrew Leonov for revealing a remote code execution vulnerability in Facebook. This remote code execution vulnerability could be traced to the popular image processing software ImageMagick.
The Need For Patching Computing Systems
The technical term for the VLC hack and other hacks of this sort is a Remote Code Execution or RCE in short. This can only be fixed by patching the affected systems.
According to the Hacking Sec blog, remote code execution describes an “attacker’s ability to execute any commands of the attacker’s choice on a target machine or in a target process.”
In remote code execution, an attacker gets the ability to upload machine code or some other executable code on a machine belonging to the hacking target. Once a hacker uploads a so-called “arbitrary code exploit”, they can then run their exploit to take data or wreak havoc on the target’s computing system.
The ways in which a hacker can cause damage once they have successfully gained control via a remote code execution are almost boundless. The hacker can read files from the target computer system and network, make uncontrolled network connections, or initiate the denial of service attacks on the server. Beyond that, the hacker can completely disable a computing system if they wish, leading to multiple disruptions in the availability and functionality of computing services.
VLC rushed to release patches to contain the vulnerability. However, should an attacker find a way to exploit the system before the patches are applied, any of the 200 million users of the vulnerable media players could face attacks. On user computers, remote code execution might target personal data or other important information.
How VLC Software Users Can Protect Themselves
As the VLC hack shows, with 200 million users vulnerable to just this exploit, users need to safeguard against remote code execution. The popularity of media players like VLC indicates this. If such popular software can be hacked, it puts many ordinary computer and phone users at risk.
Given the growth in the adoption of computing devices and smart devices worldwide, this represents a great part of the population.
Updating to the latest versions of software is a great proactive strategy that users can take to protect themselves against such hacks. This is because the latest software updates typically patch all the critical vulnerabilities before release. A user running the most recent software is, therefore, less vulnerable to exploits.
The best way to protect yourself, in light of these vulnerabilities, is to apply the patches from VLC and other media players.
Lessons From The VLC Bug
The VLC bug shows that hacks, and remote code execution, in particular, are a menace. Other media players besides VLC Media Player also showed this same vulnerability. In vulnerabilities like this, hackers can take over users’ computer systems and execute arbitrary code of their choice.
Beyond applying the latest software patches, users should be taking measures, such as the use of proxy services and browsing anonymously, in order to limit their exposure to hacking.