GAME BEHEMOTH Blizzard has gone cold on intrepid Google Project Zero security researcher Tavis Ormandy after he reported a security bug in the Blizzard Update Agent.
The Update Agent is designed to automatically download and install patches for Blizzard games, part of which involves accepting commands to change settings when conducting software maintenance.
To ensure it's doing its job, the Update Agent uses a JSON RPC HTTP server on the localhost port 1120 of the machine it's running on, which essentially checks that any changes it has been tasked with are legitimate.
But Ormandy discovered that through the use of a hacking technique called DNS binding, the authentication system can be bypassed allowing for malicious sites to send commands to the Update Agent.
"Any website can simply create a DNS name that they are authorised to communicate with, and then make it resolve to localhost. To be clear, this means that any website can send privileged commands to the agent. Exploitation would involve using network drives, or setting destination to 'Downloads' and making the browser install dlls, datafiles, etc," Ormandy explained in his advisory.
The security researcher reported the issue to Blizzard, but the games giant stopped responding, seemingly deciding to quietly patch the security hole without further correspondence with Ormandy.
"Blizzard are no longer replying to any enquiries, and it looks like in version 5996 the agent now has been silently patched with a bizarre solution. Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exe name, and then check if it's in a blacklist. I proposed they whitelist hostnames, but apparently that solution was too elegant and simple," Ormandy explained.
"I'm not pleased that Blizzard pushed this patch without notifying me, or consulted me on this," he added, clearly pissed at the cold shoulder Blizzard showed him.
A comment was added to the advisory a little after Ormandy's disgruntled post, claiming to be from Blizzard, which noted that it's back in touch with the researcher.
"We have a more robust Host header whitelist fix in QA now and will deploy soon. The executable blacklisting code is actually old and wasn't intended to be a resolution to this issue. We're in touch with Tavis to avoid miscommunication in the future," the comment from Blizzard said, offering a form of 'sorry-not-sorry reply.
So it would appear that Ormandy's proposed fix will be implemented after all.
Given Ormandy is kinda a big deal in the cybersecurity world, Blizzard's initial alleged rudeness could come and bite the publisher's posterior if Ormandy discovered future security holes in Blizzard's software but decides to keep them to himself. µ
Larry Ellison pays tribute to an 'irreplaceable friend'
The way we found out may surprise you
Air to the throne
Wonder who will get 999.999.999.999