WhatsApp patches major security bug that put your data at risk

WhatsApp in its latest advisory informs of two remote code execution critical vulnerabilities that could user data of those using older app versions at risk. The chat company has patched the “critical” security vulnerability that could allow malicious minds to remotely install malware on a victim’s smartphone via a crafted video file.

WhatsApp identifies one of the flaws as CVE-2022-36934 describing it as an integer overflow issue that affects WhatsApp for Android prior to 2.22.16.12, Business for Android prior to 2.22.16.12, iOS prior to 2.22.16.12, and Business for iOS prior to 2.22.16.12. WhatsApp says that this bug could “result in remote code execution in an established video call.”

The second flaw, tracked as CVE-2022-27492, is an integer underflow that can be used by hackers to plant a remote code in victim’s phone by sending a specially designed video file to them. WhatsApp has fixed these vulnerabilities for both Android and iOS by releasing the 2.22.16.2 and 2.22.15.9 app versions, respectively. NVD rates this as higher severity with 7.8 score.

WhatsApp has published three advisories this year by now. The first was released in January followed by second in February. In its January update, the chat app revealed of a software vulnerability for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, and WhatsApp Desktop prior to v2.2146 if a user makes a 1:1 call to a malicious actor. The NVD base score for this vulnerability is 9.8 critical.

The February advisory informs about “missing bound check in RTCP flag parsing code prior to WhatsApp for Android v2.21.23.2, WhatsApp Business for Android v2.21.23.2, WhatsApp for iOS v2.21.230.6, WhatsApp Business for iOS 2.21.230.7, and WhatsApp Desktop v2.2145.0 could have allowed an out-of-bounds heap read if a user sent a malformed RTCP packet during an established call.”

You may also like

Comments are closed.

More in Telecom