WhatsApp zero-day exploit messages scare – you need to know – Naked Security

For the last day or two, our news feed was full of WhatsApp alerts.

We have seen many reports linking to two tweets claiming that there are two zero-day security vulnerabilities in WhatsApp, listing their bug IDs as CVE-2022-36934 and CVE-2022-27492.

One of the articles, apparently based on these tweets, not only claimed with bated breath that they were zero-day errors, but also that they were detected internally and fixed by the WhatsApp team itself.

By definition, however, A. zero-day refers to a bug that attackers discovered and figured out how to exploit before the patch was available, so there weren’t any days when even the most proactive administrator with the most progressive patching approach could get ahead of the game.

In other words, the whole idea is to say that error is day zero (often written only in numerals because 0 days) is to convince people that the patch is at least as important as ever, and maybe even more important, because installing it is more a matter of catching up with criminals than keeping them from them.

If the developers discover the bug themselves and will fix it on their own in the next update, it’s not day zero as the Good Guys got there first.

Similarly, if security researchers follow the principle: responsible disclosurewhere they disclose details to vendors of a new bug but agree not to post the details for an agreed period of time to give the vendor time to create a fix, this is not day zero.

Scheduling a responsible disclosure deadline to publish a bug description serves two purposes, namely that the researcher will ultimately receive a credit for the work, while the seller cannot sweep the problem under the rug knowing that it will be disclosed last anyway.

So what is the truth?

Is WhatsApp currently being actively attacked by cybercriminals? Is this a clear and present danger?

How concerned should WhatsApp users be?