Blizzard logo

A Google security researcher has discovered a security flaw in the Blizzard Update Agent shipped with all the company's games.

The vulnerability —known as DNS rebinding— allows someone to pass as Blizzard's update server and send over malicious files that the Update Agent will run thinking they are game updates.

The flaw was discovered by famous Google security researcher Tavis Ormandy, who reported the problem to Blizzard at the start of December 2017.

Blizzard Update Agent receives silent patch

Ormandy disclosed the bug's presence yesterday, on Twitter. He noted that Blizzard patched the bug after they ceased all communications on December 22.

The researcher showed his dissatisfaction with Blizzard refusing to engage in further communications and for failing to ask his advice regarding the patch.

How the bug works

Ormandy did not agree with how Blizzard patched the bug. Before we quote Ormandy on his thoughts regarding the patch, readers must first understand how the bug works.

According to a bug report published online here, the Blizzard Update Agent contained a JSON RPC server that other applications could send commands to and interact with the Agent.

Ormandy discovered that he could use a browser and deliver malicious JavaScript to a user that would attack this server and rebind the Agent's update servers to a malicious server.

Ormandy dissatisfied with the patching process

Ormandy says the patched Blizzard Update Agent (version 5996) took the long way around when it came to patching the flaw.

He says the Blizzard Update Agent takes the name of the app sending commands to the JSON RPC server, computes a 32-bit FNV-1a string hash, and compares it to a list of apps that are not allowed to query the JSON RPC server. Browsers appear to be blacklisted.

"I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple," Ormandy said.

"I'm not pleased that Blizzard pushed this patch without notifying me, or consulted me on this," he added. "The obvious flaw in this scheme is that the blacklist needs to be complete and maintained, so I expect it will break in future or for users on unusual browsers."

A Blizzard spokesperson later clarified that the EXE-based blacklist was "actually old and wasn’t intended to be a resolution to this issue," but did not reveal how the company patched this bug. While patch details are kept under wraps, Blizzard said they resumed communications with Ormandy. It is unclear if they invited Ormandy to review the patch to make sure the Update Agent patch code making users vulnerable in another way.

Many other apps may be vulnerable to this type of attack

The researcher also published a proof-of-concept page that carries out a DNS rebinding attack against Blizzard's Update Agent. He also published another proof-of-concept page that carries out generic DNS rebinding attacks on other applications, and that security researchers can use to find other apps vulnerable to this type of flaw.

Ormandy previously discovered that the Transmission BitTorrent client was also vulnerable to a similar DNS rebinding flaw.

He also said he plans to look into the security flaws of major games in the upcoming future.

Related Articles:

New HTTP/2 DoS attack can crash web servers with a single connection

Critical flaw in LayerSlider WordPress plugin impacts 1 million sites

Google fixes two Pixel zero-day flaws exploited by forensics firms

Activision: Enable 2FA to secure accounts recently stolen by malware

CISA urges software devs to weed out SQL injection vulnerabilities