Blizzard Games Exposed to Hacking
Google’s Project Zero researcher Tavis Ormandy discovered a serious flaw in the Blizzard Update Agent. The bug opens up gamers PCs’ to hacking, allowing outside servers the ability to install, and uninstall programs, change system settings and other dangerous functions. Blizzard reportedly has half a billion active users per month.
Ormandy warned that all Blizzard games, including World of Warcraft, Overwatch, Diablo III, and Starcraft II, run the risk of this potentially damaging exposure and some gamers PC’s may already have been hacked.
Ormandy alerted Blizzard to the issue back in December and supplied a simple, but elegant solution. Initially Blizzard and Ormandy communicated. Blizzard then froze Ormandy out, quietly rolling out a patch of their own. The patch, which Ormandy called “bizarre,” apparently won’t fix the problem.
Blizzard recently disclosed on Chromium Bug Tracker that a “whitelist” fix will be rolled out shortly. The whitelist was the solution Ormandy had proposed. Blizzard commented that they will be in contact with him soon to “avoid any miscommunication.”
Automated bug discovery tools alone will overwhelm the weak patching structure currently in practice. Ultimately the goal will be to find a practical way for manufacturers to build security into their IoT products.