Security

Sony quietly POODLE-proofs Playstations

Innocuous 'system software stability' update brings no patch, no surf, regime

Sony has patched the POODLE SSL vulnerability in its Playstation 3 and 4 gaming consoles.

The rolling patch, introduced over the last fortnight, brings Transport Layer Security into Playstation's browsers and apps. SSL 3.0 is dispelled, off the Padding Oracle on Downgrade Legacy Encryption attack.

The patch is a 200MB mandatory download and forces players, including this writer, to apply the fix in order to regain online multiplayer and browser access.

POODLE allows attackers to exploit weaknesses in SSL 3.0's design to grab victims' secret session cookies. These can be used to log into online accounts, such as webmail, social networks, and so on.

Until patch version 4.66 for Playstation 3 was deployed the system had generated SSL verification errors when its browser and apps launched.

The update, confirmed as a POODLE patch by Sony's technical support line, was described in changelogs as only improvements to "system software stability during use of some features". Sony's media teams did not respond to a request for comment by the time of publication.

Playstation 4 was also patched in version 2.01 against POODLE, a fix that also scrubbed out power-down issues.

Sony's patch comes ahead of a Mozilla patch for its Firefox browser set to go live tomorrow. Google has already patched POODLE in its Chrome browser and has released a tool to help sysadmins identity and exterminate vulnerabilities such as POODLE, Heartbleed and gotofail in applications and services.

The POODLE attack was first described in a document [PDF] and in further detail in a lauded technical write-up by Google engineer Adam Langley.

Users can test their browsers against POODLE using an online tool. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016