back to article That's not very ice! Blizzard silently patches games hack hole, gives Googler cold shoulder

Blizzard games – played every month by half a billion netizens, apparently – could be hijacked by malicious websites visited by gamers, according to Google's Project Zero team. Googler Tavis Ormandy spotted the vulnerability in the Blizzard Update Agent, which is installed alongside all Blizzard titles. This particular …

  1. Voland's right hand Silver badge

    DNS rebinding is usually turned off at the CPE

    90% of residential CPEs out there run some variety of dnsmasq which has rebind protection enabled in their default settings.

    This will not affect Joe Average User. Joe Uber Geek who runs his own DNS and is doing clever stuff with it inside his network - yes. Corporate networks - probably yes. Average user at standard CPE settings - do not think so.

    Blizzard solution while bizzare and executed in an inept way is in the right direction. The only "right" way of doing this is to have each command and each payload authenticated. Best of all cryptographically - signed by a certificate Blizzard owns.

  2. Alan J. Wylie

    TLS certificates pointing to localhost

    On a similar subject, there have been recent discussions about vendors running HTTPS servers on the local system, creating TLS certificates which point to "localhost", then embedding the private key for the certificate in the locally installed software.

    Here's a discussion thread which mentions Blizzard and which was prompted by a tweet from Tavis Ormandy, who is also responsible for disclosing the other vulnerability.

    What's happening here: The software battle.net by Blizzard has a domain localbattle.net that points to localhost, allowing the software to serve content there. The content is served via HTTPS with a valid cert, making it obvious that the private key is part of the software.

    A couple more: here and here

  3. RyokuMas
    Coat

    Oh, boo hoo....

    So Google have no compunction about airing everyone else's dirty laundry all over the web, but go crying when someone refuses to recognise their efforts? Cry me a river.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh, boo hoo....

      If you're not paying a bug-bounty for exploits then they will be traded on the dark net and used against you.

      1. iron Silver badge

        Re: Oh, boo hoo....

        And if you don't pay the bug bounty we'll fit you for some concrete overshoes.

        (Nice line in blackmail / extortion you have going there.)

  4. Charles 9

    I can potentially see why they're against a whitelist: potential for a lockout if it's trying to update itself (and the whitelist with it) and Murphy strikes.

  5. iron Silver badge

    "I'm not pleased that Blizzard pushed this patch without notifying me, or consulted me on this."

    Get over yourself. This is Blizzard's software and they don't work for you.

    1. Daggerchild Silver badge

      He doesn't work for Blizzard, no, but he did do their homework for them when they couldn't.

      Shouldn't that afford him at least their default courtesy, not actively deciding to ghost him?

  6. Notas Badoff

    Hey, I know how to do this!

    Blacklist: "Is it an even number?"

    Whitelist: "Is it not divisible by something other than one?"

    One of these is a mental shortcut, yet terrible at identifying prime numbers.

    1. Charles 9

      Re: Hey, I know how to do this!

      But sometimes whitelists get TOO restrictive, resulting in a lockout situation. For instance, your whitelist would trip on 1 (which is neither prime nor composite). It is not divisible by something other than 1. Problem is, it should really say, "Does it have EXACTLY TWO divisors: one and itself?" THIS whitelist would fail 1 as only having one divisor.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon