There’s a report over on Hacker News indicating that an exploit was found in Blizzard’s Update Agent. The exploit was discovered via Tavis Ormandy. Ormandy works at Google and made a post about the critical exploit he spoted in the Blizzard Update Agent over on Chromium.

Hacker News reports that Blizzard issued a soft fix for the exploit after Ormandy contacted them about the issue. However, the fix doesn’t completely solve the problem, which included an opening in the protocol system through a JSON-RPC server that would allow hackers to use a DNS rebinding attack, which would leave anyone’s computer vulnerable to said attack through the Blizzard Update Agent. That’s more than a hundred million potential victims in waiting.

According to Ormandy, after December 22nd, 2017, Blizzard stopped responding to him. He states that the silent patch to fix the situation is only temporary, saying…

“Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist. I proposed they whitelist Hostnames, but apparently, that solution was too elegant and simple. I’m not pleased that Blizzard pushed this patch without notifying me, or consulted me on this.”

Hacker News states that Blizzard supposedly stated that there is a full fix in development and prepping for deployment.

I did reach out to Blizzard to ask about the fix for the exploit and when users can expect a full deployment to patch the Blizzard Update Agent, but at the time of writing this article they have not responded.

I imagine they’ll most certainly want to get the update out as quickly as possible, especially while the company heavily pushing for the Overwatch League to become mainstream. Of course, it would be a monkey wrench in their plans if a bunch of their users fell victim to an exploit through their update launcher if they don’t manage to get a full fix out in time.

(Main image courtesy of Plank-69)