The developers of WhatsApp have fixed two security flaws in the mobile application for Android and iOS and they are particularly dangerous: a video call or a video file sent by WhatsApp can allow code to be executed remotely on your device! Let’s do a check in.
The two vulnerabilities that are the subject of this article are associated with the following CVE references: CVE-2022-36934 and CVE-2022-27492.
WhatsApp – CVE-2022-36934
Let’s start by talking about the CVE-2022-36934 vulnerability, which is a critical security flaw with a CVSS score of 9.8 out of 10 ! In the security bulletin posted by WhatsApp, we can read that it concerns all versions of WhatsApp on Android before the version 2.22.16.12, Business for Android before v2.22.16.12, iOS before v2.22.16.12 and Business for iOS before v2.22.16.12. This vulnerability related to a type security bug integer overflow.
Also according to the security bulletin, a simple video call can allow the attacker to achieve remote code execution on your device!
WhatsApp – CVE-2022-27492
The second vulnerability, namely CVE-2022-27492, is associated with a CVSS score of 7.8 out of 10. It also affects all versions of WhatsApp on Android before the version 2.22.16.12, while on iOS it affects all versions before v2.22.15.9. This vulnerability related to a type security bug integer underflow.
A little in the same spirit as the previous vulnerability, this time it’s a specially crafted video file sent to a target user that may enable remote code execution when playing the file.
Of course, WhatsApp users are recommended to update to v2.22.16.12 without delay in order to protect against these two security vulnerabilities. For its part, WhatsApp specifies that there is no indication that any of the flaws fixed in this update have been exploited for malicious purposes in the context of attacks. Now that we start talking about these vulnerabilities, it could happen later…
PS: Beware of video calls with anonymous people, as well as files from unknown sources…. ?
Source