Naked Security Naked Security

Microsoft warns of possible attacks after Xbox Live certificate leaked

The private keys for an SSL/TLS digital certificate for *.xboxlive.com were "inadvertently disclosed," Microsoft says.

Microsoft on Tuesday updated its Certificate Trust List (CTL) after private keys for an SSL/TLS digital certificate for Xbox Live were “inadvertently disclosed,” it said in a security advisory.

The *.xboxlive.com digital certificate could be used to attempt man-in-the-middle attacks, the company said.

In such an attack, the attacker could use the certificate to impersonate the xboxlive.com domain and intercept the website’s secure connection.

Tricked Xbox users might then hand over their username and password, potentially leading to yet more attacks on the user.

However, according to Microsoft, the certificate couldn’t be used to issue other certificates, impersonate other domains, or sign code.

Though Microsoft isn’t currently aware of attacks related to the certificate fumble, it says that the issue affects all supported releases of Microsoft Windows.

Windows users on supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows 10 Version 1511, and those using devices running Windows Phone 8, Windows Phone 8.1, and Windows 10 Mobile don’t have to sweat this, Microsoft said, given that their certificate trust lists are automatically updated.

For customers running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 and are using the automatic updater of CTLs, the update will also be applied without you needing to do anything.

For everyone else, make sure you update now!