Skip to main content

Blizzard patches security hole to block hackers from sending fake updates

Blizzard
Image used with permission by copyright holder

Blizzard is currently fixing a security hole in its desktop software that could allow any website to install browser-based software libraries, gain access to network-attached storage devices, and more. The company introduced a temporary fix to prevent any immediate exploits, but plans to release a “more comprehensive” fix in the near future. 

Blizzard’s Desktop App includes a component called Blizzard Update Agent that installs, uninstalls, and updates associated Blizzard games such as Diablo III, World of Warcraft, Overwatch, StarCraft II, Hearthstone, and more. This component creates a server that listens for encoded commands sent from Blizzard through a local network port on the PC. This update platform relies on a specific authentication token system to determine that these commands are legitimate.  

Recommended Videos

But Google security researcher Tavis Ormandy revealed that hackers could infiltrate this setup using an attack called “DNS rebinding.” Theoretically, a hacker and/or website could create a domain name, and assign that name to the IP address and port where the Update Agent resides on the target PC. From there, hackers could bypass Blizzard’s authentication system to install malicious software and perform other dirty deeds. 

Please enable Javascript to view this content

Ormandy originally disclosed the issue on December 8, and communicated with Blizzard until the company went quiet on December 22. By then, he noted that Blizzard quietly updated the client – v5996 – with a temporary fix he deemed a “bizarre solution,” and that used a three-step verification process. He previously proposed using a whitelist for valid hostnames, but based on Blizzard’s fix, figured the company thought his solution was “too elegant and simple.” 

Finally, on January 23, Blizzard resumed communication with Ormandy. “We have a more robust Host header whitelist fix in QA now and will deploy soon. The executable blacklisting code is actually old and wasn’t intended to be a resolution to this issue,” a representative said. 

A DNS rebinding attack typically targets more than one machine on a network. Attackers will register a domain name, assign it to a Domain Name System server under their control, and create a webpage with malicious JavaScript. When victims land on the page, hackers acquire their IP address and tie it to one of their subdomains to execute a Cross-Site Request Forgery attack. Ultimately, hackers gain control of the victim’s router, and can attack other machines on the network. 

In the case of the Blizzard Update Agent, hackers could create a fake update server to deliver goods not associated with Blizzard’s games. The company likely went silent for a few weeks while it replicated the problem, created a temporary fix, and set course for an official update prior to providing additional responses. Meanwhile, Ormandy provides a “simple” demo of the Blizzard DNS rebinding testcase here. 

“Note that this attack can take up to five minutes to work, this would be happening while you read a website in the background and you would see nothing on the screen,” Ormandy explains. 

Outside of Blizzard’s response on Ormandy’s disclosure, the company has yet to make an official public announcement regarding his findings. 

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
AMD’s next-gen GPUs to go on sale next month
AMD Radeon RX 9070 GPUs from different brands

AMD’s upcoming Radeon RX 9070 and RX 9070 XT graphics cards are officially set to hit the market on March 6, according to certain retail listings. The new GPUs, based on AMD’s RDNA 4 architecture, will launch just a few weeks after Nvidia’s RTX 5070 Ti and possibly before the RTX 5070, setting the stage for a heated mid-range GPU battle.

As per Tom's Hardware, screenshots of RX 9070 and 9070 XT models from XFX listed on Amazon were shared by hardware leaker momomo_us having a price range from $649 to $849. One of these listing notably mentions, “This item will be released on March 6, 2025.”

Read more
A larger iMac might not be dead, after all
The iMac screen on a desk.

Ever since the 27-inch iMac was discontinued back in 2022, Apple hasn’t said anything about plans to revive it, or launch a successor. Similar is the fate of the iMac Pro, which got the discontinuation treatment in 2022, and has since remained a mystery.

But it seems plans for a large-screen all-in-one (AIO) desktop aren’t dead at Apple. In the latest edition of his PowerOn newsletter, Bloomberg’s Mark Gurman says the company might eventually turn its attention to delivering a super-sized desktop.

Read more
Apple eyes AI push on the Vision Pro. What it needs is a health pivot
A man wears an Apple Vision Pro headset.

Apple’s ambitions in the immersive world of augmented and virtual reality (AR and VR) are off to a rough start. The $3,500 Vision Pro failed to kick off a market storm. Then came reports of Apple cancelling its AR smart glasses project.

The company, however, is not done yet. As per Bloomberg, Apple is bringing its suite of AI tools called Apple Intelligence to the visionOS platform. That means AI tricks such as Writing Tools, Genmoji, and Image Playground are coming to the headset.

Read more