Skip to main content

Blizzard patches security hole to block hackers from sending fake updates

Blizzard is currently fixing a security hole in its desktop software that could allow any website to install browser-based software libraries, gain access to network-attached storage devices, and more. The company introduced a temporary fix to prevent any immediate exploits, but plans to release a “more comprehensive” fix in the near future. 

Blizzard’s Desktop App includes a component called Blizzard Update Agent that installs, uninstalls, and updates associated Blizzard games such as Diablo III, World of Warcraft, Overwatch, StarCraft II, Hearthstone, and more. This component creates a server that listens for encoded commands sent from Blizzard through a local network port on the PC. This update platform relies on a specific authentication token system to determine that these commands are legitimate.  

Recommended Videos

But Google security researcher Tavis Ormandy revealed that hackers could infiltrate this setup using an attack called “DNS rebinding.” Theoretically, a hacker and/or website could create a domain name, and assign that name to the IP address and port where the Update Agent resides on the target PC. From there, hackers could bypass Blizzard’s authentication system to install malicious software and perform other dirty deeds. 

Ormandy originally disclosed the issue on December 8, and communicated with Blizzard until the company went quiet on December 22. By then, he noted that Blizzard quietly updated the client – v5996 – with a temporary fix he deemed a “bizarre solution,” and that used a three-step verification process. He previously proposed using a whitelist for valid hostnames, but based on Blizzard’s fix, figured the company thought his solution was “too elegant and simple.” 

Finally, on January 23, Blizzard resumed communication with Ormandy. “We have a more robust Host header whitelist fix in QA now and will deploy soon. The executable blacklisting code is actually old and wasn’t intended to be a resolution to this issue,” a representative said. 

A DNS rebinding attack typically targets more than one machine on a network. Attackers will register a domain name, assign it to a Domain Name System server under their control, and create a webpage with malicious JavaScript. When victims land on the page, hackers acquire their IP address and tie it to one of their subdomains to execute a Cross-Site Request Forgery attack. Ultimately, hackers gain control of the victim’s router, and can attack other machines on the network. 

In the case of the Blizzard Update Agent, hackers could create a fake update server to deliver goods not associated with Blizzard’s games. The company likely went silent for a few weeks while it replicated the problem, created a temporary fix, and set course for an official update prior to providing additional responses. Meanwhile, Ormandy provides a “simple” demo of the Blizzard DNS rebinding testcase here. 

“Note that this attack can take up to five minutes to work, this would be happening while you read a website in the background and you would see nothing on the screen,” Ormandy explains. 

Outside of Blizzard’s response on Ormandy’s disclosure, the company has yet to make an official public announcement regarding his findings. 

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
If you’re itching for an HP OMEN MAX gaming laptop, this deal will save you $500
The HP Omen Max gaming laptop with Valorant on the screen.

We've recently published a stunningly positive review of the HP OMEN Max 16. It's got a list of "Pros" a mile long. The single, obligatory con is "Thick and heavy." Considering that it's a gaming laptop, that's practically the equivalent of saying a flashlight is too bright to look at. Thick, and a bit heavy, just comes with the territory. All of this is to say that the review was great and we're fans of the HP OMEN Max 16. As a deal hunter it made me want to go and see if I could find a deal on the HP OMEN Max 16 and I did, sort of. Right now you can get a customizable HP OMEN Max 16t — a laptop that, if it didn't have a separate store page, I would think is identical to the one we reviewed — with a $500 discount, no matter what settings you choose. With the base settings of the laptop, that discount brings it from $2,100 to just $1,600, but you're free to upgrade to your heart's content. Tap the button below to start customizing to your whimsy or keep reading for some advice on how to do so and what to expect from the 16t.

Buy Now

Read more
Google’s AI agent ‘Big Sleep’ just stopped a cyberattack before it started
Sundar Pichai

Google's AI agent, dubbed Big Sleep, has achieved a cybersecurity milestone by detecting and blocking an imminent exploit in the wild—marking the first time an AI has proactively foiled a cyber threat. Developed by Google DeepMind and Project Zero, Big Sleep identified a critical vulnerability in SQLite (CVE-2025-6965), an open-source database engine, that was on the verge of being exploited by malicious actors, allowing Google to patch it before damage occurred. “We believe this is the first time an AI agent has been used to directly foil efforts to exploit a vulnerability in the wild,” the company said.

Why it matters: As cyberattacks surge—costing businesses trillions annually—this breakthrough shifts defense from reactive patching to AI-driven prediction and prevention. It gives security teams a powerful new tool to stay ahead of hackers, potentially saving devices and data worldwide. CEO Sundar Pichai called it "a first for an AI agent—definitely not the last" according to Live Mint.

Read more
Google confirms merging Chrome OS and Android into one platform
Google Chrome app on s8 screen.

Why it matters: Google's push to blend Chrome OS and Android could supercharge affordable laptops like Chromebooks, making them more versatile for work and play. This move echoes Apple's seamless ecosystem across iPadOS and macOS, potentially shaking up the PC market where Windows dominates but innovation lags.

What's happening: In a bombshell interview, Google's Android ecosystem president Sameer Samat outright confirmed the company is "combining Chrome OS and Android into a single platform. This follows months of rumors and aligns with Android 16's new desktop-friendly features, like proper windowing and external display support. But then Samat later clarified on X that it's not a full-on merger killing Chrome OS; instead, it's about weaving Android's tech stack deeper into Chrome for better app compatibility and hardware efficiency.

Read more