Two vulnerabilities in calls-from-this-week/">WhatsApp allow attackers to plant malicious code on victims. Updated app versions seal the leaks.
With the WhatsApp versions called “September Update”, the developers have closed two security gaps that attackers could have used to foist malicious code on unsuspecting victims. One of the gaps is so serious that it has been classified as a critical security risk.
Detailed information not available
Neither WhatsApp nor the entries in the NIST Common Vulnerabilities and Exposures database provide any more detailed information. However, they indicate that an integer overflow during ongoing video calls could lead to the execution of injected code (CVE-2022-36934, CVSS 9.8risk “critical“).
The second vulnerability is based on a possible integer underflow that can occur when receiving carefully prepared video files. As a result, attackers could also inject malicious code, explains the note in the WhatsApp security advisory (CVE-2022-27492, CVSS 7.8, high).
The last gap concerns WhatsApp for android before version 2.22.16.2 also for iOS before Version 2.22.15.9. The critical vulnerability was also present in the WhatsApp versions 2.22.16.12 for Android as well as before 2.22.16.12 for iOS available and also affects their business versions.
Corrected versions are now available in the respective app stores. WhatsApp 2.22.19.76 is currently up to date on Android. WhatsApp users should check which version is being used on their smartphone and, if necessary, migrate to a current version by uninstalling and reinstalling from the official app store of their own platform.
About six months ago, the third-party library PJSIP was struggling with vulnerabilities. This is used in WhatsApp Messenger. At the time, however, it was unclear whether the messenger itself was vulnerable as a result.
