WhatsApp logo

Critical WhatsApp vulnerabilities patched: Check you’ve updated!

WhatsApp has fixed two remote code execution vulnerabilities in its September update, according to its security advisory. These could have allowed an attacker to remotely access a device and execute commands from afar.

These versions of WhatsApp are affected by at least one of the vulnerabilities:

  • WhatsApp for Android prior to v2.22.16.12
  • WhatsApp Business for Android prior to v2.22.16.12
  • WhatsApp for iOS prior to v2.22.16.12
  • WhatsApp Business for iOS prior to v2.22.16.12

WhatsApp for Android prior to v2.22.16.2 and WhatsApp for iOS v2.22.15.9 are affected by both.

How to make sure you’re protected

There are no indications that these vulnerabilities have already been exploited. The vulnerabilities were found by the WhatsApp internal security team and silently fixed, so there is a good chance that your WhatsApp has already been updated. However, it never hurts to check.

Note: the methods described below may be slightly different based on the brand, type, and model of your phone, but should give you a good general idea of where to look.

If you have an iPhone, go to the App Store and tap Updates. When you find WhatsApp, tap the Update button next to the app. Your phone should then start installing the update.

If you own an Android phone, click on Play Store, then on the menu button. Under My apps and games, tap Update next to WhatsApp Messenger.

Stay safe, everyone!

Technical details

CVE-2022-36934: An integer overflow in WhatsApp could result in remote code execution (RCE) in an established video call. An integer overflow occurs when an integer value gets assigned a value that is too large to store in the reserved representation that can be represented with a given number of digits. Usually this will be higher than the maximum, but it can also be lower than the minimum representable value. By writing a larger value into the memory an attacker could overwrite other parts of the systems memory and abuse that ability to remotely execute code.

This RCE bug affects a piece of code in the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

The heap is an area of memory made available use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

CVE-2022-27492: An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file. Integer underflow errors are usually errors that occur when a number that should always be positive gets assigned a negative value. A perfect example of an integer underflow error is when array index errors are used with a negative value. This type of weakness will lead to undefined behavior and often crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

This RCE bug affects an unspecified code block of the component Video File Handler. The manipulation with an unknown input leads to a memory corruption vulnerability. To exploit this vulnerability, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.