Facebook has just revealed some details of the WhatsApp buffer vulnerability. In a security bulletin last week, it said CVE-2019-11931 was triggered by a stack-based buffer overflow bug that caused an attacker to send elaborate . MP4 format video file to trigger this vulnerability. Although not providing much technical details, Facebook says the problem is with the encrypted messaging app. The resolution of the MP4 underlying stream metadata.
(Pictured: Google Play, via ZDNet)
If exploited, the vulnerability can result in denial of service (DoS) or remote code execution (RCE) attacks. Whether it’s Android, or iOS clients, the WhatsApp version before 2.19.274 is affected by this vulnerability.
Android 2.19.104 before Android Business, and 2.19.100 before iOS Business, are also vulnerable to such attacks.
2.25.3 The enterprise version of the client and whatsApp’s Version of Windows Phone,including versions 2.18.368 and earlier are also affected.
Although there have been no reports of the vulnerability being exploited in the wild, Facebook has advised WhatsApp users to reduce risk by bringing software updates to the latest version as soon as possible. A Facebook spokesman said:
We’ve been working to improve the security of WhatsApp services and will publish public reports on potential issues that have been resolved and fix them in line with industry best practices.
For the CVE-2019-11931 vulnerability, we believe that no users have actually been affected.