WhatsApp RCE flaw can be exploited by sending malicious MP4 files
Facebook has patched a critical vulnerability (CVE-2019-11931) affecting various versions of its popular WhatsApp Messenger app and is urging users to update as soon as possible.
About the patched flaw (CVE-2019-11931)
CVE-2019-11931 is a stack-based buffer overflow vulnerability that could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user.
“The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS [denial of service] or RCE [remote code execution],” Facebook explained in a (light) security advisory.
The vulnerability affects:
- Android versions prior to 2.19.274
- iOS versions prior to 2.19.100
- Enterprise Client versions prior to 2.25.3
- Windows Phone versions before and including 2.18.368
- Business for Android versions prior to 2.19.104, and
- Business for iOS versions prior to 2.19.100.
There is no indication that the flaw is being actively exploited. Facebook also doesn’t specify whether any user interaction is required for exploitation, so assume that it’s not.
Upgrade today
Users would do well to upgrade to the newest offered versions, especially if their WhatsApp is configured to automatically download photo, video or audio files sent to them.
This latest issue brings to mind CVE-2019-3568, the buffer overflow vulnerability in WhatsApp VoIP stack that allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
Publicly revealed in May 2019, it had been exploited in extremely targeted attacks to deliver the Pegasus mobile spyware developed by Israeli company NSO Group.
Less than a month ago, Facebook filed a suit against NSO Group, saying that it exploited CVE-2019-3568 to infect over 1,400 phones with malware.
Facebook says NSO Group violated the U.S. Computer Fraud and Abuse Act and wants a U.S. court to bar the company from using Facebook and WhatsApp services and systems and to pay for the damage it has caused to Facebook.