Vulnerabilities do not appear to have been exploited in the wild
Mihir Bagwe (MihirBagwe) •
September 28, 2022
WhatsApp has patched two vulnerabilities that could be exploited by an attacker as a first step to install smartphone malware on Android or Apple devices.
See also: Now OnDemand | C-Suite Summary: The Link between OT and Identity
The Meta-owned chat app, which has been loaded on nine out of ten smartphones in much of Latin America and published the vulnerabilities and the patch in many European and African countries with comparable high penetration rates, disclosed the vulnerabilities and the patch on Monday. None of the vulnerabilities appear to have been exploited in the wild, says cybersecurity firm Malwarebytes.
Each vulnerability has been closed by updated versions of the app downloaded to most users’ smartphones, or at least to the phones of users who have not disabled typical smartphones’ default setting for automatic app updates.
One of the bugs, tracked as CVE-2022-36934, represents a “critical” bug that an attacker could exploit via a specially formatted video call. The bug stems from an integer overflow vulnerability in the Video Call Handler component, Malwarebytes says. An attacker could write a larger value to memory than is allocated by the component, which would cause a heap-based buffer overflow that could allow an attacker to take control of the application.
The heap is memory allocated to the program, while a buffer overflow is a type of software vulnerability that is triggered when an application hits its memory address limit and writes instructions to an adjacent memory area.
The second vulnerability is a high-severity bug tracked as CVE-2022-27492. This is an integer underflow bug found in the WhatsApp Video File Handler component, says Malwarebytes analysis. Unlike integer overflow errors, an underflow error usually occurs when a number that should be positive is assigned a negative value. “To exploit this vulnerability, attackers would have to drop a manipulated video file on the user’s WhatsApp messenger and convince the user to play it,” the company says.
WhatsApp vulnerabilities can be very valuable to malicious actors. Chat apps have been abused to install malware on the smartphones of journalists, activists and politicians. Meta filed a lawsuit against progressive spyware company NSO Group in 2019 for infecting its customers’ phones with Pegasus spyware (see: Facebook sues spyware maker over WhatsApp exploit).