Skip to main content

Blizzard patches security hole to block hackers from sending fake updates

Image used with permission by copyright holder

Blizzard is currently fixing a security hole in its desktop software that could allow any website to install browser-based software libraries, gain access to network-attached storage devices, and more. The company introduced a temporary fix to prevent any immediate exploits, but plans to release a “more comprehensive” fix in the near future. 

Blizzard’s Desktop App includes a component called Blizzard Update Agent that installs, uninstalls, and updates associated Blizzard games such as Diablo III, World of Warcraft, Overwatch, StarCraft II, Hearthstone, and more. This component creates a server that listens for encoded commands sent from Blizzard through a local network port on the PC. This update platform relies on a specific authentication token system to determine that these commands are legitimate.  

But Google security researcher Tavis Ormandy revealed that hackers could infiltrate this setup using an attack called “DNS rebinding.” Theoretically, a hacker and/or website could create a domain name, and assign that name to the IP address and port where the Update Agent resides on the target PC. From there, hackers could bypass Blizzard’s authentication system to install malicious software and perform other dirty deeds. 

Ormandy originally disclosed the issue on December 8, and communicated with Blizzard until the company went quiet on December 22. By then, he noted that Blizzard quietly updated the client – v5996 – with a temporary fix he deemed a “bizarre solution,” and that used a three-step verification process. He previously proposed using a whitelist for valid hostnames, but based on Blizzard’s fix, figured the company thought his solution was “too elegant and simple.” 

Finally, on January 23, Blizzard resumed communication with Ormandy. “We have a more robust Host header whitelist fix in QA now and will deploy soon. The executable blacklisting code is actually old and wasn’t intended to be a resolution to this issue,” a representative said. 

A DNS rebinding attack typically targets more than one machine on a network. Attackers will register a domain name, assign it to a Domain Name System server under their control, and create a webpage with malicious JavaScript. When victims land on the page, hackers acquire their IP address and tie it to one of their subdomains to execute a Cross-Site Request Forgery attack. Ultimately, hackers gain control of the victim’s router, and can attack other machines on the network. 

In the case of the Blizzard Update Agent, hackers could create a fake update server to deliver goods not associated with Blizzard’s games. The company likely went silent for a few weeks while it replicated the problem, created a temporary fix, and set course for an official update prior to providing additional responses. Meanwhile, Ormandy provides a “simple” demo of the Blizzard DNS rebinding testcase here. 

“Note that this attack can take up to five minutes to work, this would be happening while you read a website in the background and you would see nothing on the screen,” Ormandy explains. 

Outside of Blizzard’s response on Ormandy’s disclosure, the company has yet to make an official public announcement regarding his findings. 

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
As an enthusiast, these are the apps every PC needs to have
A gaming PC with RGB synced lights running Apex Legends.

I've written about PC hardware for several years, and I proudly wear the badge of "enthusiast." But for as fun and interesting as the hardware is, no high-end PC is complete without the proper software.

Over my years of building PCs and tweaking hardware, I've cultivated a list of software that I need to install on every device I use. Here's what I install on every PC I build or test.

Read more
Nvidia’s RTX 5090 might completely run AMD into the ground
RTX 4090.

Nvidia's best graphics card might reach new heights in the next generation of GPUs -- or at least that's what a reputable leaker implies. The RTX 4090 already delivered a massive generational uplift, and we're looking at something similar, or even better, with the future RTX 5090. It all comes down to a ridiculously large memory bus and a huge increase in CUDA cores. But does Nvidia really need all that juice to compete with AMD?

Today's round of tantalizing leaks comes from a well-known source in the GPU space, kopite7kimi, who released some speculation about the possible architecture of the GB202 chip, which would be the Blackwell counterpart to the AD102. There's a bit of math involved.

Read more
Best OLED monitor deals: Get an OLED screen from just $370
Marvel's Spider-Man running on the Samsung Odyssey OLED G8.

If you want the best screens that you can get from monitor deals, it's highly recommended that you go for displays featuring OLED technology. OLED stands for organic light-emitting diode, and because they eliminate the need for a backlight by generating 100% of the light on the screen, OLED monitors can offer perfect black levels, extremely wide viewing angles, and insanely fast response times, among other benefits. If you're interested in OLED monitor deals, here are the top offers that are available right now, but you'll need to hurry because they may disappear at any moment.
ViewSonic 15.6-inch ColorPro VP16 OLED monitor -- $370, was $400

The ViewSonic ColorPro VP16 OLED monitor is a portable display that features a 15.6-inch screen with Full HD resolution. It comes with a flexible and foldable ergonomic stand for easy height and viewing angle adjustments, and there's also a tripod mount integrated into the stand so that the ViewSonic ColorPro VP16 can be used as photo or video preview screen. For connectivity options, you get two USB-C ports and a mini HDMI port.

Read more