A WhatsApp vulnerability could have let attackers launch a remote code execution attack on Android, iOS, and Windows phones. The flaw meant that criminals could have sent a specially crafted MP4 video file that would cause a buffer overflow.
“The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE,” explains the CVE-2019-11931 description.
A buffer overflow happens when an app tries to write more data to a buffer than it’s allocated to hold. The additional information can corrupt nearby space in memory and let attackers meddle, leading to a Denial of Service attack or Remote Code Execution.
The bug is present in Android versions lower than 2.19.274 and iOS versions below 2.19.1000. It’s also present in Enterprise Client, Business for Android, and Business for iOS versions.
Essentially, this flaw could have caused some real damage to customers and enterprises. Thankfully, Facebook says it’s patched the vulnerability and tells Threatpost there’s currently no evidence of it being exploited in the wild.
A similar vulnerability existed through GIF files on Android devices and was reported in October. In May a flaw was discovered that let attackers deploy spyware via unanswered video calls.
“WhatsApp cares deeply about the privacy of our users and we’re constantly working to enhance the security of our service,” WhatsApp told Threatpost. “We make public reports on potential issues we have fixed consistent with industry best practices. In this instance there is no reason to believe users were impacted.”
Now that the vulnerability is in the open there’s a much higher chance attackers will try to exploit it. As a result, it’s critically important that users update their app to the latest version. That is, unless you’re a Windows phone user, in which case the app will be shut down soon anyway.