Heads up, WhatsApp users! It’s time to update WhatsApp on your devices as the latest version addresses two severe security flaws. Exploiting the vulnerabilities could allow an adversary to perform RCE attacks and take control of WhatsApp messenger.
WhatsApp RCE Vulnerabilities Fixed In September
In a recent post, Malwarebytes elaborated on WhatsApp’s September update that addresses two major vulnerabilities.
As described, both vulnerabilities could allow remote code execution attacks on the target devices, exposing the victim’s WhatsApp data.
Specifically, the first of these, CVE-2022-36934, is an integer overflow allowing RCE attacks during a WhatsApp video call. The flaw existed in the Video Call Handler component that allowed the adversary to take control of an ongoing video call and the entire messenger app.
The second vulnerability, CVE-2022-27492, is also a related one, but it didn’t affect video calls, instead, the video files. Specifically, it affected the Video File Handler component, allowing an attacker to trigger memory corruption by malicious unknown inputs. Simply put, sending a maliciously crafted video file could let the attacker trigger the flaw and gain remote code execution access on the target device.
WhatsApp confirmed patching the vulnerabilities with the September update for its users across various devices, via an advisory. Particularly, the service released the fixes with WhatsApp v220.127.116.11 for Android, Business for Android, iOS, and Business for iOS apps.
Since the vulnerabilities are now known, users must ensure to update their devices with the latest WhatsApp releases, if haven’t done already. Especially, given the high security risks to WhatsApp users regarding remote hacking attacks and spying, keeping the app up to date is inevitable.
These two vulnerabilities extend the list of WhatsApp vulnerabilities fixed this year to four. But it’s been a while since the tech giant released such an update since the previous WhatsApp update arrived in February 2022 with WhatsApp v18.104.22.168. Whereas the first security fix for the year had arrived with the January update.
Let us know your thoughts in the comments.