Microsoft has detected an issue with one of its Xbox SSL certificates issued for the *.xboxlive.com domain and has revoke it to avoid exposing customers to Man in the Middle attacks.
The private key was used to validate one of the Xbox Live SSL certificates. These are employed to establish HTTPS (Secure) connections on the xboxlive.com website.
The 'private key' was leaked online and the company decided to safeguard users from situations where the key could be used in MitM attacks to intercept previously secure traffic. Microsoft have revoked the SSL certificate that the key validated.
"To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate," Microsoft notes in one of its security advisories.
More recent products like Windows 10, Windows 8.1, Windows 8, Windows 10 Mobile, Windows Phone 8.1, Windows Phone 8, and Windows Server 2012 come equipped with an automatic certificate trust list updater. Now Microsoft have started pushing updates to all other products to fix the problem.
For users running older versions of Windows, they'll have to install KB 2677070, an update that added a similar mechanism for automatically updating certificate trust lists.
Microsoft say that the chances are low that any attacker might have used this particular leaked private key in real-world attacks.
Hackers would have to be aware the private key was leaked, and then compromise a server that stands between Xbox Live customers and the Microsoft servers to intercept traffic.
If the hacker/s have managed to do this they would be able to intercepted details about the various Xbox Live payments the company's customers make on a daily basis.
The private key was used to validate one of the Xbox Live SSL certificates. These are employed to establish HTTPS (Secure) connections on the xboxlive.com website.
The 'private key' was leaked online and the company decided to safeguard users from situations where the key could be used in MitM attacks to intercept previously secure traffic. Microsoft have revoked the SSL certificate that the key validated.
"To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate," Microsoft notes in one of its security advisories.
More recent products like Windows 10, Windows 8.1, Windows 8, Windows 10 Mobile, Windows Phone 8.1, Windows Phone 8, and Windows Server 2012 come equipped with an automatic certificate trust list updater. Now Microsoft have started pushing updates to all other products to fix the problem.
For users running older versions of Windows, they'll have to install KB 2677070, an update that added a similar mechanism for automatically updating certificate trust lists.
Microsoft say that the chances are low that any attacker might have used this particular leaked private key in real-world attacks.
Hackers would have to be aware the private key was leaked, and then compromise a server that stands between Xbox Live customers and the Microsoft servers to intercept traffic.
If the hacker/s have managed to do this they would be able to intercepted details about the various Xbox Live payments the company's customers make on a daily basis.