WhatsApp has patched a vulnerability it its smartphone code that would allow an attacker to crash a target’s app simply by placing a call.
Google Project Zero researcher Natalie Silvanovich discovered and reported the flaw, a memory heap overflow issue, directly to WhatsApp in August. Now that a fix is out, Silvanovich can go public with details on the potentially serious flaw.
According to Silvanovich’s report, the bug is triggered when a user receives a malformed RTP packet, triggering the corruption error and crashing the application. In practice, the malformed packet that triggers the crash could be sent via a simple call request.
“This issue can occur when a WhatsApp user accepts a call from a malicious peer,” Silvanovich explained. “It affects both the Android and iPhone clients.”
While Silvanovich has not said whether further actions (like remote code execution) would be possible to pull off in the wild, the flaw was serious enough to draw the attention of fellow Google researcher Tavis Ormandy.
This is a big deal. Just answering a call from an attacker could completely compromise WhatsApp. https://t.co/vjHuWt8JYa
— Tavis Ormandy (@taviso) October 9, 2018
Fortunately, as the bug has been patched users will be able to get a fix for the flaw by updating to the latest version of WhatsApp on Android and iOS. We’re still waiting to hear from Google on more details, such as if the desktop app is affected of if RCE is possible, but its PR team has a lot on today.
The disclosure will add another to the growing list of apps that will need to be updated thanks to October security patches. Earlier today, Microsoft delivered its Patch Tuesday security bundle, with Adobe dropping its second major patch bundle in as many weeks and Google having posted the Android monthly update last week. ®