Skip to main content

Blizzard patches security hole to block hackers from sending fake updates

Image used with permission by copyright holder

Blizzard is currently fixing a security hole in its desktop software that could allow any website to install browser-based software libraries, gain access to network-attached storage devices, and more. The company introduced a temporary fix to prevent any immediate exploits, but plans to release a “more comprehensive” fix in the near future. 

Blizzard’s Desktop App includes a component called Blizzard Update Agent that installs, uninstalls, and updates associated Blizzard games such as Diablo III, World of Warcraft, Overwatch, StarCraft II, Hearthstone, and more. This component creates a server that listens for encoded commands sent from Blizzard through a local network port on the PC. This update platform relies on a specific authentication token system to determine that these commands are legitimate.  

But Google security researcher Tavis Ormandy revealed that hackers could infiltrate this setup using an attack called “DNS rebinding.” Theoretically, a hacker and/or website could create a domain name, and assign that name to the IP address and port where the Update Agent resides on the target PC. From there, hackers could bypass Blizzard’s authentication system to install malicious software and perform other dirty deeds. 

Ormandy originally disclosed the issue on December 8, and communicated with Blizzard until the company went quiet on December 22. By then, he noted that Blizzard quietly updated the client – v5996 – with a temporary fix he deemed a “bizarre solution,” and that used a three-step verification process. He previously proposed using a whitelist for valid hostnames, but based on Blizzard’s fix, figured the company thought his solution was “too elegant and simple.” 

Finally, on January 23, Blizzard resumed communication with Ormandy. “We have a more robust Host header whitelist fix in QA now and will deploy soon. The executable blacklisting code is actually old and wasn’t intended to be a resolution to this issue,” a representative said. 

A DNS rebinding attack typically targets more than one machine on a network. Attackers will register a domain name, assign it to a Domain Name System server under their control, and create a webpage with malicious JavaScript. When victims land on the page, hackers acquire their IP address and tie it to one of their subdomains to execute a Cross-Site Request Forgery attack. Ultimately, hackers gain control of the victim’s router, and can attack other machines on the network. 

In the case of the Blizzard Update Agent, hackers could create a fake update server to deliver goods not associated with Blizzard’s games. The company likely went silent for a few weeks while it replicated the problem, created a temporary fix, and set course for an official update prior to providing additional responses. Meanwhile, Ormandy provides a “simple” demo of the Blizzard DNS rebinding testcase here. 

“Note that this attack can take up to five minutes to work, this would be happening while you read a website in the background and you would see nothing on the screen,” Ormandy explains. 

Outside of Blizzard’s response on Ormandy’s disclosure, the company has yet to make an official public announcement regarding his findings. 

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
These 4K monitors are discounted at Best Buy — from $200
The Sony InZone M9 sitting next to a PlayStation 5.

A 4K monitor is a great way of enjoying an enhanced image as you work with more pixels, higher resolutions, and often better colors too. Over at Best Buy, there are some great monitor deals squarely focused on all things 4K. There are dozens of 4K monitors in the sale so the smart move is to hit the button below to see what’s there for yourself. If you want some help though, we’re here. We’ve picked out a few highlights in the sale so take a look for yourself.

What to shop for in the Best Buy 4K monitor sale
Samsung makes some of the best monitors around so why not start with the ? It’s currently reduced by $150 so it costs just $200. Its IPS panel looks great with AMD FreeSync support effectively eliminating screen tears and stutters. There’s also HDR support which brings with it some great looking colors while wide viewing angles mean it looks great from any perspective.

Read more
9 best processors for PC gaming: tested and reviewed
The AMD Ryzen 9 7950X3D installed in a motherboard.

It's tough to find the right gaming CPU for your next PC. We've benchmarked dozens of processors to find the best CPU for gaming, and there's a clear winner right now: AMD's Ryzen 7 7800X3D. Although the latest chip from Team Red claims the crown, there are still several other great options on the market.

Whatever your needs and budgets, though, we have options from AMD and Intel that will be great performers. We're focused on gaming here, but if you want a processor that can game and get work done, make sure to check out our list of the best processors.

Read more
The best 5K monitors you can buy for max resolution
A person using the Dell UltraSharp 40 U4025QW 40-inch curved Thunderbolt hub monitor with a Dell laptop on a desk.

Despite their relatively steep price tags, 5K monitors have gained substantial popularity among various creative professionals, including photographers, videographers, filmmakers, and graphic designers. These displays not only deliver exceptionally sharp and detailed imagery but also come with high-end, factory-calibrated panels to ensure precise color reproduction.

A true 5K resolution is defined as 5120 x 2880 pixels, with the emphasis often placed on the horizontal pixel count by many manufacturers. It's important to note that only a few monitors offer this exact resolution. Therefore, we have compiled a list of the top monitors that provide a 5K2K resolution (5120 x 2160 pixels) as well. Here are the best 5K monitors currently available for purchase in 2024.

Read more