WhatsApp has published details of a “critical” vulnerability that has been patched in a newer version of the app but could still affect older installations that have not been updated.
Details were disclosed in a September update of WhatsApp’s page on security advisories affecting the app and came to light on September 23rd.
The critical bug would allow an attacker to exploit a code error known as an integer overflow, letting them execute their own code on a victim’s smartphone after sending a specially crafted video call. Remote code execution vulnerabilities are a key step in installing malware, spyware, or other malicious applications on a target system, as they give attackers a foot in the door that can be used to further compromise the machine using techniques like privilege escalation attacks.
The recently disclosed vulnerability has been assigned the identification number CVE-2022-36934 in the national vulnerability database and given a severity score of 9.8 out of 10 on the CVE scale. This equates to the highest possible threat level: “critical.”
In the same security advisory update, WhatsApp also shared details of another vulnerability — CVE-2022-27492 — that would let attackers execute code after sending a malicious video file. This vulnerability was scored 7.8 out of 10, or a severity level of “high.”
Both of these vulnerabilities are patched in recently updated versions of WhatsApp and should already be fixed in any installation of the app that is set to automatically update (the default setting on most phones). According to the security advisory, the vulnerabilities affect:
- WhatsApp for Android prior to v184.108.40.206
- WhatsApp Business for Android prior to v220.127.116.11
- WhatsApp for iOS prior to v18.104.22.168
- WhatsApp Business for iOS prior to v22.214.171.124
Besides protecting against possible hacking exploits, there are more reasons to keep your WhatsApp installation updated. On Monday, the company announced that it was rolling out a new feature that will let users share a one-click link to join a group call and also testing the implementation of 32-person encrypted video chats.