For the past day or two, our newsfeed has been buzzing with warnings about WhatsApp.
We have seen many reports linking to two tweets claiming the existence of two zero-day vulnerabilities in WhatsApp and their bug IDs as CVE-2022-36934 and CVE-2022-27492.
An article apparently based on those tweets breathlessly insisted that not only were these bugs zero-day, but that they were discovered internally and fixed by the WhatsApp team themselves.
However, by definition a zero day refers to a bug that attackers discovered and exploited before a patch was available, so there were zero days when even the most proactive sysadmin with the most progressive attitude towards patching could have been ahead of the game.
In other words, the whole idea of saying a bug is a zero-day (often written with just one digit, as 0 day) is to convince people that the patch is at least as important as ever, and maybe more important than that because installing the patch is more about catching up with the crooks than getting ahead of them be.
If developers discover a bug themselves and patch it themselves in their next update, that’s not a zero day, because the good guys were there first.
The same applies when security researchers follow the principle responsible disclosurewhere they provide a vendor with the details of a new bug but commit to not releasing those details for an agreed period of time to give the vendor time to create a patch, this is not zero-day.
Setting a responsible disclosure period for posting a description of the bug serves two purposes, namely that the researcher ultimately gets credit for the work, while preventing the vendor from sweeping the issue under the rug, knowing it will be there anyway finally outed.
So what is the truth?
Is WhatsApp currently being actively attacked by cybercriminals? Is this a clear and current danger?
How Concerned Should WhatsApp Users Be?
If in doubt, consult the guide
As far as we can tell, the reports currently circulating are based on information straight from WhatsApp’s own 2022 security advisory page, which states [2022-09-27T16:17:00Z]:
WhatsApp Security Advisories 2022 Updates September Update CVE-2022-36934 An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call. CVE-2022-27492 An integer underflow in WhatsApp for Android prior to v2.22.16.2, WhatsApp for iOS v2.22.15.9 could have caused remote code execution when receiving a crafted video file.
Both errors are listed as potential leading errors Remote Code Executionor RCE for short, meaning that booby-trapped data could force the app to crash and that a skilled attacker could be able to manipulate the circumstances of the crash to trigger unauthorized behavior along the way.
When an RCE is involved, this “unauthorized behavior” usually means running malicious code or malware to subvert your device and take some sort of remote control over it.
From the descriptions, we’re assuming that the first error required a connected call before it could be triggered, while the second error sounds like it could be triggered at other times, such as reading a message or viewing one already file downloaded to your device.
Mobile apps are typically much more tightly regulated by the operating system than apps on laptops or servers, where local files are generally accessible and shared among multiple programs.
This, in turn, means that compromising a single mobile app generally poses less of a risk than a similar malware attack on your laptop.
On your laptop, for example, your podcast player can probably see your documents by default, even if none of them are audio files, and your photo program can probably rummage through your spreadsheet folder (and vice versa).
However, there’s usually a much tighter separation between apps on your mobile device, so by default your podcast player can’t see documents, your spreadsheet program can’t search your photos, and your photos app can’t see audio files or documents.
But even accessing a single “sandboxed” app and its data may be all an attacker wants or needs, especially if that app is the one you use to securely communicate with your colleagues, friends, and family, like WhatsApp .
WhatsApp malware, which could read your past messages or even just your contact list and nothing else, could be a treasure trove of data for online criminals, especially if their goal is to learn more about you and your business in order to sell it Sharing inside information with other crooks on the dark web.
A software bug that opens cybersecurity vulnerabilities is classified as a vulnerabilityand any attack that practically exploits a specific vulnerability is referred to as Exploit.
And every known vulnerability in WhatsApp that could be exploited for snooping purposes is worth patching ASAP, even if no one ever finds a working data-stealing or malware-injection exploit.
(Not all vulnerabilities end up being exploitable for RCE – some bugs turn out to be sufficiently whimsical that even if they can be reliably triggered, provoke a crash, or denial of servicethey can’t be tamed well enough to fully take over the crashed app.)
What to do?
The good news here is that the bugs listed here appear to have been patched almost a month ago, although the latest reports we’ve seen imply that these bugs pose a clear and current threat to WhatsApp users.
As the WhatsApp advice page points out, these two so-called “zero-day” holes are patched with version numbers in all variants of the app, both Android and iOS 2.22.16.12 or higher.
According to Apple’s App Store, the current version of WhatsApp for iOS (both messenger and business variants) is already available 22.19.78with five intervening updates released since the first fix that fixed the above bugs, which was already a month ago.
WhatsApp is already on Google Play 22.19.76 (Versions are not always exactly the same between different operating systems, but are often close).
In other words, if you have your device set to autoupdate, you should already have been patched against these WhatsApp threats for about a month.
To check the apps you have installed, the last update and their version details, open the app store App on iOS or Load game on Android.
Tap your account icon to access the list of apps you have installed on your device, including details of the last update and the current version number you have.
#WhatsApp #zeroday #exploit #message #horrors
