WhatsApp patches critical security flaws
WhatsApp released security updates to fix two vulnerabilities in its Android and iOS apps that attackers could have exploited to execute remote code on vulnerable devices, The Hacker News reports.
The more severe of the two flaws — CVE-2022-36934 with a Common Vulnerability Scoring System (CVSS) score of 9.8 — relates to a critical integer overflow vulnerability that could result in remote code execution in an established video call.
With a CVSS score of 7.8, the second vulnerability is less severe. However, it relates to an integer overflow that attackers could exploit to execute remote code when receiving a crafted video file. It is tracked as CVE-2022-27492.
According to Malwarebytes, the bugs concern a piece of code in the Video Call Handler and Video File Handler WhatsApp components.
Malicious actors exploiting the critical-severity CVE-2022-36934 vulnerability could manipulate the bug in the Video Call Handler to trigger a heap-based overflow, allowing them to take complete control of the app.
The second flaw involved an integer underflow that attackers could exploit for remote code execution.
However, to take advantage of the flaw, they must send a malicious video file to the user’s WhatsApp messenger and convince them to open it.
The critical severity CVE-2022-36934 vulnerability impacts WhatsApp and WhatsApp Business apps for iOS and Android earlier than version 2.22.16.12.
The high-severity CVE-2022-27492 flaw impacts WhatsApp’s Android apps older than version 2.22.16.2 and its iOS apps older than version 2.22.15.9.
Malwarebytes explained that integer underflow bugs lead to undefined behaviour and crashes.
“In the case of overflows involving loop index variables, the likelihood of infinite loops is also high,” it stated.