What you need to know about the recent concern over a WhatsApp “zero-day exploit”

Our news feed has been humming with WhatsApp safety alerts over the past day or so.

 

Numerous stories linked to two tweets that claimed WhatsApp had two zero-day security flaws, citing CVE-2022-36934 and CVE-2022-27492 as the issue identifiers.

 

One report, apparently based on those tweets, excitedly maintained that not only were these zero-day issues, but that the WhatsApp team themselves had discovered and repaired them.

 

Although by definition a zero-day refers to a problem that was found and successfully exploited before a patch was made available, there were zero days during which even the most diligent system administrator with the most progressive approach to patching might have been ahead of the game.

 

To put it another way, the whole point of calling a bug a zero-day (often written with just a digit, as 0-day) is to convince people that the patch is at least as important as ever, and possibly even more important than that, since applying the patch is more about catching up with the thieves than about staying ahead of them.

 

A issue that developers independently find and fix in their upcoming version is not a zero-day because the Good Guys were the ones to find it first.

 

It’s also not a zero-day if security researchers adhere to the principle of responsible disclosure, in which they disclose the specifics of a new defect to a vendor but agree not to make those details public for a predetermined amount of time to give the company time to develop a patch.

 

A responsible disclosure deadline for publishing a writeup of the defect serves two purposes: it allows the researcher to claim credit for the effort while preventing the vendor from ignoring the problem because they know it will eventually be revealed.

 

What then is the reality?

Is WhatsApp currently a target of cybercriminals’ attacks? Is there a present and obvious threat here?

Should WhatsApp users be concerned?

 

If unsure, refer to the advice.
The reports currently making the rounds, as far as we can tell, are based on details taken straight from WhatsApp’s own 2022 security alert website, which states [2022-09-27T16:17:00Z]:

 

WhatsApp Security Recommendations

Updates for 2022

August Update

CVE-2022-36934

In WhatsApp for Android previous to version 2.2.16.12, Business for Android prior to version 2.2.16.12, iOS prior to version 2.2.16.12, and Business for iOS prior to version 2.2.16.12, an integer overflow might lead to remote code execution during an active video call.

 

CVE-2022-27492

When receiving a manipulated video file, an integer underflow in WhatsApp for Android prior to v2.22.16.2 and WhatsApp for iOS prior to v2.22.15.9 might have led to remote code execution.

Both of the bugs are classified as having the potential to result in remote code execution, or RCE for short. This means that malicious data could cause the app to crash and that an experienced attacker might be able to manipulate the circumstances of the crash to cause unauthorised behaviour to start as a result.

 

When an RCE is involved, such “unauthorised behaviour” usually refers to the execution of malware, or malicious programme code, to compromise and seize some degree of remote control over your device.

 

According to the descriptions, the first bug has to be linked to a call in order to be activated, but the second problem sounds like it might be activated at other times, such while you’re reading a message or looking at a file that has already been downloaded to your device.

 

Unlike apps on laptops or servers, where local data are typically accessible to and frequently exchanged across different programmes, mobile apps are typically subject to considerably stricter regulation by the operating system.

 

This implies that a single mobile app penetration often presents a lower danger than a similar malware attack on your desktop.

 

For instance, even if none of your papers on your laptop contain audio files, your podcast player may be able to peep at them by default, and your photo application may be able to snoop about in your spreadsheet folder (and vice versa).

 

On your mobile device, however, there is often a much stricter separation between apps, so that, at the very least by default, your spreadsheet software cannot browse your photographs, your podcast player cannot see documents, and your photo app cannot view audio files or documents.

 

However, if you use a single “sandboxed” app like WhatsApp for safe communication with coworkers, friends, and family, access to that app and its data may be all that an attacker seeks or requires.

 

In particular, if their objective is to learn more about you and your company in order to sell that inside information to other criminals on the dark web, WhatsApp spyware that could read only your list of contacts and no other data may be a gold mine for online criminals.

 

A vulnerability is a software flaw that exposes cybersecurity gaps, and an exploit is an assault that actively takes advantage of a particular weakness.

 

And even if no one ever develops a successful exploit for data theft or malware implantation, any known vulnerability in WhatsApp that might be exploited for spying purposes is definitely worth addressing as soon as feasible.

 

Some bugs turn out to be so capricious that even if they can reliably be triggered to create a crash or denial of service, they can’t be tamed well enough to gain complete control of the crashed programme. (Not all vulnerabilities wind up being exploitable for RCE.)

 

Now what?
While the most recent reports we’ve heard imply that these weaknesses constitute an obvious and immediate danger to WhatsApp users, the good news is that the problems described above appear to have been addressed almost a month ago.

 

These two so-called “zero-day” weaknesses are addressed in all versions of the WhatsApp app, for both Android and iOS, with version numbers 2.22.16.12 or later, according to the WhatsApp alert website.

 

According to Apple’s App Store, WhatsApp for iOS (both the Messenger and Business flavours) is currently at version 2.22.19.78, with at least five upgrades released in between the initial fix that fixed the aforementioned bugs, which was made more than a month ago.

 

WhatsApp is already at version 2.22.19.76 on Google Play (versions don’t always match up perfectly between different operating systems, although they frequently come close).

 

In other words, if you have auto-update enabled on your smartphone, you should already be protected against these WhatsApp security concerns for nearly a month.

 

Open the App Store app on iOS or the Play Store app on Android to view the apps you have installed, the date they were most last updated, and their version information.

 

To see a list of the apps you have installed on your device, together with information about when they were most recently updated and what version they are now running on, tap the icon for your account.