A security researcher has revealed a vulnerability in Activision Blizzard software which would have let threat actors run malicious code on gamers’ PCs.
According to Google Project Zero researcher Tavis Ormandy, ‘Blizzard Update Agent’, a client application required to play the company’s games online, was and may still be vulnerable to DNS rebinding, an attack which allows any website to act as a ‘bridge’ between the external server and localhost.
By using this method to force users to visit a website of their choosing, a malicious actor could easily use JavaScript code to send privileged commands to the application.
Blizzard’s games – including immensely popular titles such as Overwatch, World of Warcraft and Hearthstone – are reportedly played by half a billion users each month, meaning that an exploitation of this vulnerability ‘in the wild’ could have impacted a huge number of victims. Fortunately, there is no evidence to indicate that this occurred.
Ormandy published a proof of concept demonstrating how the vulnerability could be exploited to force users’ browsers to download and install malicious files. The exploit he laid out would take under 15 minutes to carry out.
He says that he reported the issue to Blizzard back in December; however, after initial communications, he says that Blizzard cut off communications and, without notifying him, rolled out a patch which he claims is inadequate.
“Blizzard is no longer replying to any enquiries, and it looks like in version 5996 the Agent now has been silently patched with a bizarre solution,” said Ormandy. “Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist. I proposed they whitelist Hostnames, but apparently, that solution was too elegant and simple. I’m not pleased that Blizzard pushed this patch without notifying me, or consulted me on this.”
Ormandy later added that a Blizzard representative had contacted him to let him know that a more comprehensive whitelisting solution was being developed.
“The executable blacklisting code is actually old and wasn’t intended to be a resolution to this issue,” said a Blizzard representative. “We’re in touch with Tavis to avoid miscommunication in the future.”
Ormandy has said that he will be looking into other popular gaming companies’ software to see if the exploit can be replicated.
