Microsoft Takes Countermeasures After Xbox Live SSL Certificate Blunder

Posted on

Private key for Xbox Live domain leaks online. Microsoft’s security staff has detected an issue with one of the company’s SSL certificates issued for the * domain and has decided to revoke it and avoid exposing customers to MitM (Man in the Middle) attacks.

The problem relates to a private key that was used to validate one of the Xbox Live SSL certificates, employed to establish HTTPS connections on the website.

This private key was leaked online, and Microsoft can’t explain why. To safeguard users from any instances where this key would be used in MitM attacks to intercept HTTPS traffic, the company has revoked the SSL certificate that the key validated.

Microsoft has revoked the dirtied certificate

“To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate,” Microsoft notes in one of its security advisories.

Microsoft has started pushing updates to all products to fix the issue. More recent products like Windows 10, Windows 8.1, Windows 8, Windows 10 Mobile, Windows Phone 8.1, Windows Phone 8, and Windows Server 2012 come equipped with an automatic certificate trust list updater.

For users running older versions of Windows, they’ll have to install KB 2677070, an update that added a similar mechanism for automatically updating certificate trust lists.

Low chances of having previously been exploited in the wild

Despite the severity of the situation, the chances are low that any attacker might have used this particular leaked private key in real-world attacks.

For starters, they would have had to be aware the private key was leaked, and then they would have needed to compromise a server that stands between Xbox Live customers and the Microsoft servers so that they’d be able to intercept traffic.

If such criteria were satisfied, the attacker could have intercepted details about the various Xbox Live payments the company’s customers make on a daily basis.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s