For the last day or two, our news feed has been buzzing with warnings about WhatsApp.

We saw many reports linking to two tweets that claimed the existence of two zero-day security holes in WhatsApp, giving their bug IDs as CVE-2022-36934 and CVE-2022-27492.

One article, apparently based on those tweets, breathlessly insisted not only that these were zero-day bugs, but also that they’d been discovered internally and fixed by the WhatsApp team itself.

By definition, however, a zero-day refers to a bug that attackers discovered and figured out how to exploit before a patch was available, so that there were zero days on which even the most proactive sysadmin with the most progressive attitude to patching could have been ahead of the game.

In other words, the whole idea of stating that a bug is a zero-day (often written with just a digit, as 0-day) is to persuade people that the patch is at least as important as ever, and perhaps more important than that, because installing the patch is more of a question of catching up with the crooks that of keeping in front of them.

If developers uncover a bug themselves and patch it of their own accord in their next update, it’s not a zero-day, because the Good Guys got there first.

Likewise, if security researchers follow the principle of responsible disclosure, where they reveal the details of a new bug to a vendor but agree not to publish those details for an agreed period of time to give the vendor time to create a patch, it’s not a zero-day.

Setting a responsible disclosure deadline for publishing a writeup of the bug serves two purposes, namely that the researcher ultimately gets to to take credit for the work, while the vendor is prevented from sweeping the issue under the carpet, knowing that it will be outed anyway in the end.

So, what’s the truth?

Is WhatsApp currently under active attack by cyercriminals? Is this a clear and current danger?

How worried should WhatsApp users be?