WhatsApp has released details of a “serious” security flaw affecting its Android app that could allow attackers to remotely plant malware on a victim’s smartphone during a video call.
WhatsApp described the details of the flaw, which was tracked as CVE-2022-36934 with a specific severity rating of 9.8 out of 10, as a valid overflow bug. This happens when an application tries to perform a arithmetic operation but there is no space in memory allocated to it, causing data leaks and overwriting other parts of the system memory with potentially malicious code.
WhatsApp has not shared any other details about the error. But security research firm Malwarebytes said in its own technical analysis that the bug is in a WhatsApp app component called “Video Call Handler”, which if triggered would allow the attacker to take full control of the victim’s app.
WhatsApp spokesperson Joshua Brickman told TechCrunch that bugs were discovered within the company and that the company had seen “no evidence of exploitation.”
The critically rated memory vulnerability is similar to a 2019 bug, which WhatsApp eventually blamed on Israeli spyware firm NSO Group in 2019 for using it to target 1,400 victim phones, including journalists, human rights defenders and other civilians. The attack took advantage of a flaw in WhatsApp’s voice calling feature that allowed the caller to implant spyware on the victim’s device, regardless of whether the call was answered or not.
WhatsApp also this week revealed details of another vulnerability, CVE-2022-27492, rated “high” in severity at 7.8 out of 10, which could allow hackers to run malicious code on a victim’s iOS device after sending a malicious video file.
“Manipulating unknown input leads to memory impairment,” said Peter Arntz, an intelligence researcher at Malwarebytes. “To exploit this vulnerability, attackers would have to drop a video file created on the WhatsApp messenger and convince the user to play it.”
Both flaws have been corrected in the latest versions of WhatsApp. Today’s update.
from San Jose News Bulletin https://sjnewsbulletin.com/whatsapp-fixes-serious-security-bug-putting-android-phone-data-at-risk-techcrunch/
No comments:
Post a Comment