A Google security researcher has discovered a security flaw in the Blizzard Update Agent shipped with all the company’s games.

The vulnerability —known as DNS rebinding— allows someone to pass as Blizzard’s update server and send over malicious files that the Update Agent will run thinking they are game updates.

The flaw was discovered by famous Google security researcher Tavis Ormandy, who reported the problem to Blizzard at the start of December 2017.

Blizzard Update Agent receives silent patch

Ormandy disclosed the bug’s presence yesterday, on Twitter. He noted that Blizzard patched the bug after they ceased all communications on December 22.

The researcher showed his dissatisfaction with Blizzard refusing to engage in further communications and for failing to ask his advice regarding the patch.

How the bug works

Ormandy did not agree with how Blizzard patched the bug. Before we quote Ormandy on his thoughts regarding the patch, readers must first understand how the bug works.

According to a bug report published online here, the Blizzard Update Agent contained a JSON RPC server that other applications could send commands to and interact with the Agent.

Ormandy discovered that he could use a browser and deliver malicious JavaScript to a user that would attack this server and rebind the Agent’s update servers to a malicious server.

Ormandy dissatisfied with the patching process

Ormandy says the patched Blizzard Update Agent (version 5996) took the long way around when it came to patching the flaw.

He says the Blizzard Update Agent takes the name of the app sending commands to the JSON RPC server,…