Vulnerabilities Appear Not to Have Been Exploited in the Wild
WhatsApp patched two vulnerabilities that could be exploited by an attacker as a first step to installing smartphone malware on Android or Apple devices.
See Also: Now OnDemand | C-Suite Round-up: Connecting the Dots Between OT and Identity
The Meta-owned chat app loaded onto nine out of every 10 smartphones in much of Latin America and with comparably high rates of penetration in many European and African countries disclosed the vulnerabilities and the patch on Monday. None of the vulnerabilities appear to have been exploited in the wild, says cybersecurity firm Malwarebytes.
Each vulnerability was closed by updated versions of the app that downloaded onto the smartphones of most users, or at least the phones of users who haven’t turned off the typical smartphone’s default setting of automatic app updates.
One of the flaws, tracked as CVE-2022-36934 amounts to a “critical” flaw that an attacker could exploit via a specially formatted video call. The flaw stems from an integer overflow vulnerability in the Video Call Handler component, Malwarebytes says. An attacker could write a larger value into memory than is allocated by the component, causing a heap-based buffer overflow that allows an attacker to take control of the application.
The heap is memory allocated to the program whereas a buffer overflow is a type of software vulnerability triggered when an application reaches its memory address boundary and writes commands into an adjacent memory region.
The second vulnerability is a high-severity flaw tracked as CVE-2022-27492. This one is an integer underflow bug found in the WhatsApp Video File Handler component, the Malwarebytes analysis says. Unlike integer overflow flaws, an underflow flaw usually occurs when a number that should be a positive is assigned a negative value. “To exploit this vulnerability, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it,” the company says.
WhatsApp vulnerabilities can be highly valuable to malicious actors. Chat apps have been exploited to install malware on the smartphones of journalists, activists and politicians. Meta in 2019 filed a lawsuit against advanced spyware firm NSO Group for infecting its customers’ phones with Pegasus spyware (see: Facebook Sues Spyware Maker Over WhatsApp Exploit).