Disclosed information about the critical
The vulnerability is not related to the Signal protocol, but is caused by a buffer overflow in the WhatsApp-specific VoIP stack. The problem can be exploited by sending a specially crafted series of SRTCP packets to the victim's device. The vulnerability manifests itself in WhatsApp for Android (fixed in 2.19.134), WhatsApp Business for Android (fixed in 2.19.44), WhatsApp for iOS (2.19.51), WhatsApp Business for iOS (2.19.51), WhatsApp for Windows Phone ( 2.18.348) and WhatsApp for Tizen (2.18.15).
It is interesting that in the last year
After identifying the first traces of compromised devices on Friday, Facebook engineers began to develop a method of protection, on Sunday they secured a loophole at the server infrastructure level by a workaround, and on Monday began distributing an update with a fix for the client software. It is not yet clear how many devices were attacked using the vulnerability. All that is reported is an unsuccessful attempt on Sunday to compromise the smartphone of one of the human rights activists using a method reminiscent of NSO Group technology, as well as an attempt to attack the smartphone of an employee of the human rights organization Amnesty International.
The problem was not publicized
NSO denies involvement in specific attacks and only claims to be developing technology for intelligence agencies, but the victim human rights activist intends to prove in court that the company shares responsibility with customers abusing the software provided to them, and sold its products to services known for their human rights violations.
Facebook launched an investigation into the possible compromise of the devices and last week privately shared the first results with the US Department of Justice, as well as notified several human rights organizations about the problem to coordinate public awareness (there are about 1.5 billion WhatsApp installations worldwide).
Source: opennet.ru