Blizzard working on patch for updater vulnerability that lets websites run code

Blizzard is working on a patch for a leak found by Google, which the discoverer says will allow a website to run code using the Blizzard Update Agent. A similar leak recently occurred in the torrent client Transmission.

That leak was found by Google researcher Tavis Ormandy, who is also responsible for the discovery of the current leak. Similar to Transmission, the researcher uses dns rebinding to perform his attack. The Blizzard updater accepts rpc commands on localhost to perform installations and other changes, for example.

According to Ormandy, by luring a target who has installed the software to a special website, it is possible to communicate with localhost via that site in order to execute commands and, for example, download an exploit. Ormandy has published a proof-of-concept.

He reported the leak to an acquaintance at Blizzard in December, so that it would “end up in the right hands.” In its bug report, Ormandy expressed his dismay at Blizzard’s failure to communicate in late December and implement what he believed to be an inadequate patch. Blizzard has since responded, however, saying it hasn’t made a patch available yet, but is finalizing a fix in the form of a host header whitelist.

The Project Zero researcher reports via Twitter that he plans to take a closer look at other games with many players as well. He said the same about bittorrent clients, but results are still awaited because Google’s security team has a 90-day deadline.