Sony Online Entertainment Quickly Patches for Heartbleed Bug

Written by Feldon on . Posted in EQ2, Game Updates & Maintenance

heartbleed-orange

From EQ2 Community Manager Margaret “Luperza” Krohn on the EQ2 Forums:

As was widely reported, a vulnerability called “Heartbleed” was recently found in OpenSSL (the popular open-source software used to encrypt and secure computer communications) that could potentially allow data theft on systems using OpenSSL. Like many others around the world, some of SOE’s sites used OpenSSL, but those sites were fully patched – closing this exploit.

We have no evidence of any breach or data theft, and the chance of any particular user password having been compromised is very slim. Nonetheless, we will let you know if we recommend that you reset your password.

Trackback from your site.

Comments (6)

  • Malade

    |

    Heartbleed doesn’t leave any ‘evidence’.

    Reply

  • Shmogre

    |

    That was going to be my comment as well…the very nature of the Heartbleed bug makes it difficult to tell if there has been a breach.

    Reply

  • name (required)

    |

    read again. they didnt say they have no evidence that they got heartbleeded, they said they got no evidence that they got breached and stolen with heartbleeded data.

    Reply

  • milliebii

    |

    This “heartbleed bug” reminds me far too much of the “Y2K” bug.

    Lots of angst and no evidence of anyone even trying to exploit it. Also no coherent explanation of how the transmission of an almost random 64k chunk of memory would be mapped to useful data.

    Yes users of the OpenSSL library need to patch it, and consider other measures but the hype is extraordinary.

    Reply

  • Striinger

    |

    Milli, it’s not theoretical and no fingerprints because it doesn’t require elevated permission to access the memory in 64k chunks (along other reasons). You can get a different chunk each handshake request.
    It’s so serious because you can get the private key for the servers that can be used at will until they renew them (which could cost and be deferred). So, even patching doesn’t remove the threat until keys and passwords are changed.

    Reply

    • milliebii

      |

      You do not understand the nature of the bug. The client sends a request that returns a known two byte string followed by the remainder of a 64k chunk of memory. Repeated request do not increment the chunk being returned (the same chunk could, theoretically, be returned over and over again. The more likely outcome of repeated requests is slightly different 64k chunks, all beginning with the same two byte string (it is sent in the request and returned). Yes there has been a demonstration of the concept of key recovery. However no details have been provided of how many requests were sent or if the demonstration included multiple non-hacking clients as well as the hacking client. You should also read http://arstechnica.com/security/2014/04/how-heartbleed-transformed-https-security-into-the-stuff-of-absurdist-theater/

      Reply

Leave a comment

You must be logged in to post a comment.


Powered by Warp Theme Framework