WhatsApp identifies new hole, Cert-in advises update
Anam.Ajmal@timesgroup.com
New Delhi:18.11.2019
WhatsApp has identified a vulnerability that could have been exploited though a malicious MP4 file. India’s Computer Emergency Response Team (Cert-in) described the vulnerability’s severity rating as “high” and advised users to update to the latest version of WhatsApp.
The vulnerability, identified as CVE-2019-11931, affected both Android and iOs systems but it is unclear if any users were impacted. The company has rolled out a security update.
“WhatsApp is constantly working to improve the security of our service. We make public reports on potential issues we have fixed, consistent with industry best practices. In this instance, there is no reason to believe users were impacted,” WhatsApp said in a statement on Sunday.
With 400 million users, India is WhatsApp’s biggest market. The development comes just weeks after WhatsApp sued the Israeli company, NSO group, over the alleged misuse of their spyware Pegasus, which was installed in the phones of 1,400 users, including at least 120 Indians. Many of those who were spied on were journalists, rights activists and lawyers.
In a post on it’s securities and advisory page, WhatsApp’s parent company Facebook confirmed the vulnerability on November 14. The post describes the vulnerability as “A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user.”
Although this description is vague, Cert-in website gives more details. It states that the vulnerability can be “exploited by a remote attacker to execute arbitrary code on the target system.”
“A remote attacker could exploit this vulnerability by sending a specially crafted MP4 file to the target system. This could trigger a butter overflow leading to the execution of arbitrary code by the attacker. The exploitation does not require any form of authentication from the victim end...,” the cert-in website elaborates.
According to the emergency team, the successful exploitation of the vulnerability could allow a remote attacker to cause “Remote Code Execution (RCE) or Denial of Service (DoS) condition, which could further compromise the system.
The development comes just weeks after WhatsApp sued Israeli company, NSO group, over the alleged misuse of their spyware Pegasus
Anam.Ajmal@timesgroup.com
New Delhi:18.11.2019
WhatsApp has identified a vulnerability that could have been exploited though a malicious MP4 file. India’s Computer Emergency Response Team (Cert-in) described the vulnerability’s severity rating as “high” and advised users to update to the latest version of WhatsApp.
The vulnerability, identified as CVE-2019-11931, affected both Android and iOs systems but it is unclear if any users were impacted. The company has rolled out a security update.
“WhatsApp is constantly working to improve the security of our service. We make public reports on potential issues we have fixed, consistent with industry best practices. In this instance, there is no reason to believe users were impacted,” WhatsApp said in a statement on Sunday.
With 400 million users, India is WhatsApp’s biggest market. The development comes just weeks after WhatsApp sued the Israeli company, NSO group, over the alleged misuse of their spyware Pegasus, which was installed in the phones of 1,400 users, including at least 120 Indians. Many of those who were spied on were journalists, rights activists and lawyers.
In a post on it’s securities and advisory page, WhatsApp’s parent company Facebook confirmed the vulnerability on November 14. The post describes the vulnerability as “A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user.”
Although this description is vague, Cert-in website gives more details. It states that the vulnerability can be “exploited by a remote attacker to execute arbitrary code on the target system.”
“A remote attacker could exploit this vulnerability by sending a specially crafted MP4 file to the target system. This could trigger a butter overflow leading to the execution of arbitrary code by the attacker. The exploitation does not require any form of authentication from the victim end...,” the cert-in website elaborates.
According to the emergency team, the successful exploitation of the vulnerability could allow a remote attacker to cause “Remote Code Execution (RCE) or Denial of Service (DoS) condition, which could further compromise the system.
The development comes just weeks after WhatsApp sued Israeli company, NSO group, over the alleged misuse of their spyware Pegasus
No comments:
Post a Comment