In the WhatsApp messenger, developers have fixed two serious RCE vulnerabilities that could be used to remotely execute arbitrary code. The bugs affected both WhatsApp for Android and iOS.
Let me remind you that we also wrote that Researchers Reveal How to Hijack Someone Else’s WhatsApp Account.The third security bulletin this year appeared on the messenger’s website (the first two were released in January and February 2022). In it, developers inform users about two problems at once that affect mobile versions of WhatsApp.
The first vulnerability, which received the identifier CVE-2022-36934, is rated as critical (9.8 points out of 10 possible on the CVSS scale) and is associated with an integer overflow. The issue affected WhatsApp for Android (up to version 2.22.16.12), Business version of the Android app (up to version 2.22.16.12), WhatsApp for iOS (up to version 2.22.16.12) and Business version of the messenger for iOS (up to version 2.22.16.12).
According to the developers, an attacker could use this vulnerability to remotely execute code during a video call.
The second issue, identified as CVE-2022-27492 (CVSS score of 7.8 out of 10), is related to integer underflow. This problem can also be exploited for remote code execution, but this time the attacker must send a specially crafted video file to the victim. The bug has been fixed in WhatsApp for Android and iOS with the release of versions 2.22.16.2 and 2.22.15.9.
According to Malwarebytes, CVE-2022-36934 affects the Video Call Handler component, and CVE-2022-27492 affects the Video File Handler component.
Apparently, the vulnerabilities were discovered by the developers themselves, within the company, and at present there are no signs that they have already been exploited by hackers.
By the way, remember the enchanting story when: Facebook, Instagram, and WhatsApp crashed globally! How did you survive without these products then? 😉
