Data: CASIE
Trigger word:
is out
Negative Trigger
that
the
flaw
was reported
Vulnerability-related.DiscoverVulnerability
to
WhatsApp
in
August
,
and
has been patched
Vulnerability-related.PatchVulnerability
in
the
latest
version
–
so
you
’
ll
want
to
check
for
an
update
.
Google
Project
Zero
whizkid
and
Tamagotchi
whisperer
Natalie
Silvanovich
discovered and reported
Vulnerability-related.DiscoverVulnerability
the
flaw
,
a
memory
heap
overflow
issue
,
directly
to
WhatsApp
in
August
.
Now
that
a
fix
is out
Vulnerability-related.PatchVulnerability
,
Silvanovich
can
go public
Vulnerability-related.DiscoverVulnerability
with
details
on
the
potentially
serious
flaw
.
According
to
Silvanovich’s report
Vulnerability-related.DiscoverVulnerability
,
the
bug
is
triggered
when
a
user
receives
a
malformed
RTP
packet
,
triggering
the
corruption
error
and
crashing
the
application
.
In
practice
,
the
malformed
packet
that
triggers
the
crash
could
be
sent
via
a
simple
call
request
.
“
This
issue
can
occur
when
a
WhatsApp
user
accepts
a
call
from
a
malicious
peer
,
”
Silvanovich
explained
.
It
’
s
not
clear
whether
the
WhatsApp
security
flaw
could
be exploited
Vulnerability-related.DiscoverVulnerability
for
remote
code
execution
,
but
this
is
a
possibility
,
and
a
sufficient
risk
for
a
fellow
Google
researcher
to
describe
Vulnerability-related.DiscoverVulnerability
it
as
‘
a
big
deal.
’
“
This
is
a
big
deal
,
”
tweeted
Travis
Ormandy
.
“
Just
answering
a
call
from
an
attacker
could
completely
compromise
WhatsApp.
”
The
same
vulnerability
was present in
Vulnerability-related.DiscoverVulnerability
the
Android
app
,
which
has also been patched
Vulnerability-related.PatchVulnerability
.
The
Register
says
it
is
still
waiting
to
hear
from
Google
on
more
details
,
for
example
whether
the
desktop
app
is similarly affected
Vulnerability-related.DiscoverVulnerability
.
It
’
s
not
the
first
time
of
late
that
a
WhatsApp
security
issue
has been identified
Vulnerability-related.DiscoverVulnerability
.
Back
in
August
,
it
was discovered
Vulnerability-related.DiscoverVulnerability
that
it
was
possible
for
an
attacker
to
change
both
the
content
and
the
sender
of
a
WhatsApp
message
after
you
’
ve
received
it
.
WhatsApp
has patched
Vulnerability-related.PatchVulnerability
a
vulnerability
in
its
smartphone
code
that
could
have
been exploited
Vulnerability-related.DiscoverVulnerability
by
miscreants
to
crash
victims
'
chat
app
simply
by
placing
a
call
.
Google
Project
Zero
whizkid
and
Tamagotchi
whisperer
Natalie
Silvanovich
discovered and reported
Vulnerability-related.DiscoverVulnerability
the
flaw
,
a
memory
heap
overflow
issue
,
directly
to
WhatsApp
in
August
.
Now
that
a
fix
is out
Vulnerability-related.PatchVulnerability
,
Silvanovich
can go public
Vulnerability-related.DiscoverVulnerability
with
details
on
the
potentially
serious
flaw
.
According
to
Silvanovich
's
report
,
the
bug
is
triggered
when
a
user
receives
a
malformed
RTP
packet
,
triggering
the
corruption
error
and
crashing
the
application
.
In
practice
,
the
malformed
packet
that
triggers
the
crash
could
be
sent
via
a
simple
call
request
.
``
This
issue
can
occur
when
a
WhatsApp
user
accepts
a
call
from
a
malicious
peer
,
''
Silvanovich
explained
.
``
It
affects
both
the
Android
and
iPhone
clients
.
''
While
Silvanovich
has
not
said
whether
further
actions
(
like
remote
code
execution
)
would
be
possible
to
pull
off
in
the
wild
,
the
flaw
was
serious
enough
to
draw
the
attention
of
fellow
Google
researcher
Tavis
Ormandy
.
Fortunately
,
as
the
bug
has been patched
Vulnerability-related.PatchVulnerability
users
will
be
able
to
get
Vulnerability-related.PatchVulnerability
a
fix
for
the
flaw
by
updating
Vulnerability-related.PatchVulnerability
to
the
latest
version
of
WhatsApp
on
Android
and
iOS
.
We
're
still
waiting
to
hear
from
Google
or
Facebook
on
more
details
,
such
as
if
the
desktop
app
is
affected
of
if
RCE
is
possible
,
but
its
PR
team
has
a
lot
on
today
.
The
disclosure
will
add
another
to
the
growing
list
of
apps
that
will
need
to
be
updated
thanks
to
October
security
patches
.
Earlier
today
,
Microsoft
delivered
Vulnerability-related.PatchVulnerability
its
Patch
Tuesday
security
bundle
,
with
Adobe
dropping
Vulnerability-related.PatchVulnerability
its
second
major
patch
bundle
in
as
many
weeks
and
Google
having posted
Vulnerability-related.PatchVulnerability
the
Android
monthly
update
last
week
.