For the last day or two, our news feed was full of WhatsApp alerts.
We have seen many reports linking to two tweets claiming that there are two zero-day security vulnerabilities in WhatsApp, listing their bug IDs as CVE-2022-36934 and CVE-2022-27492.
One of the articles, apparently based on these tweets, not only claimed with bated breath that they were zero-day errors, but also that they were detected internally and fixed by the WhatsApp team itself.
By definition, however, A. zero-day refers to a bug that attackers discovered and figured out how to exploit before the patch was available, so there weren’t any days when even the most proactive administrator with the most progressive patching approach could get ahead of the game.
In other words, the whole idea is to say that error is day zero (often written only in numerals because 0 days) is to convince people that the patch is at least as important as ever, and maybe even more important, because installing it is more a matter of catching up with criminals than keeping them from them.
If the developers discover the bug themselves and will fix it on their own in the next update, it’s not day zero as the Good Guys got there first.
Similarly, if security researchers follow the principle: responsible disclosurewhere they disclose details to vendors of a new bug but agree not to post the details for an agreed period of time to give the vendor time to create a fix, this is not day zero.
Scheduling a responsible disclosure deadline to publish a bug description serves two purposes, namely that the researcher will ultimately receive a credit for the work, while the seller cannot sweep the problem under the rug knowing that it will be disclosed last anyway.
So what is the truth?
Is WhatsApp currently being actively attacked by cybercriminals? Is this a clear and present danger?
How concerned should WhatsApp users be?
If in doubt, consult an advisor
As far as we know, the reports circulating at the moment are based on information directly from WhatsApp’s own security advice 2022 page, which says [2022-09-27T16:17:00Z]:
WhatsApp Security Advisories 2022 Updates September Update CVE-2022-36934 An integer overflow in WhatsApp for Android prior to v126.96.36.199, Business for Android prior to v188.8.131.52, iOS prior to v184.108.40.206, Business for iOS prior to v220.127.116.11 could result in remote code execution in an established video call. CVE-2022-27492 An integer underflow in WhatsApp for Android prior to v18.104.22.168, WhatsApp for iOS v22.214.171.124 could have caused remote code execution when receiving a crafted video file.
Both errors are listed as potentially leading to remote code executionor RCE for short, meaning that data traps can force an application to crash, and an experienced attacker may be able to fake the crash circumstances to trigger unauthorized behavior along the way.
Typically, when RCE is involved, “unauthorized behavior” means launching malicious program code or malware in order to undermine and take some form of remote control of the device.
From the descriptions, we assume that the first error required a connection before it could be triggered, while the second error sounds as if it could have been triggered at a different time, such as when reading a message or viewing a file already downloaded to your device.
Mobile applications are usually much more rigorously regulated by the operating system than applications on laptops or servers, where local files are generally available to multiple programs and share them together.
This in turn means that compromising a single mobile application generally poses less risk than a similar malware attack on a laptop.
For example, on your laptop, your podcast player might look at your documents by default, even if none of them are an audio file, and your photo program might likely take root in your spreadsheet folder (and vice versa).
However, on a mobile device, there’s usually a much tighter separation between apps, so at least by default, the podcast player doesn’t see documents, the spreadsheet program can’t view photos, and the photo app can’t see audio files or documents.
However, even accessing a single sandbox application and its data can be all an attacker wants or needs, especially if that application is the one you use to securely communicate with colleagues, friends, and family such as WhatsApp.
WhatsApp malware that can read your past messages or even just your contact list and nothing else can be a treasury of data for online criminals, especially if their goal is to find out more about you and your business in order to sell them inside information about other scammers in the dark web.
A software bug that opens up cybersecurity loopholes is known as weak pointand any attack that effectively exploits a specific vulnerability is known as an to use.
And every known vulnerability in WhatsApp that can be used for espionage is worth patching as soon as possible, even if no one ever comes up with a working exploit to steal data or implant malware.
(Not all vulnerabilities can be used for RCE – some bugs turn out to be capricious enough that, even though they can be reliably triggered, to provoke a failure, or denial of servicethey cannot be tamed well enough to take over the app crash completely.)
What to do?
The good news is that the bugs listed here were apparently patched close to a month ago, even though the latest reports we saw suggest that these bugs pose a clear and current threat to WhatsApp users.
As the WhatsApp Tips page points out, these two so-called “zero-day” holes are patched in all versions of the app, both Android and iOS, with version numbers 126.96.36.199 or later.
According to the Apple App Store, the current iOS version of WhatsApp (both Messenger and Business) is now available 188.8.131.52with five updates released since the first patch, which fixed the above-mentioned bugs, which was released a month ago.
In Google Play, WhatsApp is ready 184.108.40.206 (the versions do not always exactly match the different operating systems, but are often similar).
In other words, if you’ve set your device to auto-update, you should already be patched against these WhatsApp threats for about a month now.
To check installed applications, their latest update and version details, write Application Store iOS application, or Play store on Android.
Tap your account icon to access a list of the apps installed on your device, including details about their last update and current version number.