WhatsApp, yesterday disclosed a critical bug that it claims may have affected older installations on various devices that have not been updated to the latest software version.
The Meta-owned app published details of the “critical” vulnerability in the September update of the WhatsApp security advisory page, which was released on September 23rd.
These versions of WhatsApp are affected by at least one of the vulnerabilities:
• WhatsApp for Android prior to v2.22.16.12
• WhatsApp Business for Android prior to v2.22.16.12
• WhatsApp for iOS prior to v2.22.16.12
• WhatsApp Business for iOS prior to v2.22.16.12
The vulnerability could allow an attacker to exploit a code error known as an integer overflow.
“An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call,” WhatsApp noted in the update.
In remote code execution, a hacker can remotely execute commands on someone else’s computing device.
Remote code executions (RCEs) usually occur due to malicious malware downloaded by the host and can happen regardless of the device’s geographic location.
The recently disclosed vulnerability has been called CVE-2022-36934, with a severity score of 9.8 out of 10 on the CVE scale.
WhatsApp also revealed details of another bug that could have caused remote code execution when receiving a crafted video file.
Both of these vulnerabilities have been patched in the latest versions of WhatsApp.
On Monday, the company’s CEO announced that it would introduce calling links to make it easier to start and join conversations with a single tap.
CEO Mark Zuckerberg also mentioned WhatsApp has started testing secure encrypted group video calls for up to 32 people on WhatsApp.