WhatsApp has recently released security updates for iOS and Android platforms to arrest two flaws that could result in remote code execution on susceptible devices. CVE-2022-36934 (CVSS score: 9.8), which is one of the concerns is a critical overflow vulnerability in the most popular messaging app.
Hacking via video call?
It can lead to the execution of arbitrary code just by establishing a video call. This issue affects WhatsApp and WhatsApp Business versions before 2.22.16.12 of iOS and Android.
Patch up
The Meta-owned platform also patched an integer underflow bug, which concerns an opposite category of errors. It happens when the result of an operation is too small to store the value within the memory space allocated.
Trigger factor
This high-severity issue is given the CVE identifier CVE-2022-27492 (CVSS score: 7.8). It affects WhatsApp Android versions before 2.22.16.2 and WhatsApp iOS version 2.22.15.9. It could get triggered by receiving a video file crafted in a specific way.
Watch this YouTube video:
Exploitation
Manipulations of integer overflows and underflows are done to induce undesirable behavior, leading to unexpected crashes, code execution, and memory corruption.
More info
Although WhatsApp did not share more about these vulnerabilities as per Malwarebytes, a cybersecurity firm, they reside in two components known as Video File Handler and video Call Handler. These could allow an attacker to gain control of the messaging platform.
Good news for hackers
Such vulnerabilities are rewarding attack vectors for threat actors who want to plant malicious software on compromised devices. In 2019, the Israeli spyware maker NSO Group took advantage of the audio calling flaw to inject the Pegasus spyware.
