Microsoft issues warning after Xbox Live certificate ‘inadvertently’ leaks

On the first Tuesday of every month, Microsoft issues a bumper pack of security fixes. The day has become known to many as “Patch Tuesday”, and serves as a regular date in the diary for system administrators responsible for ensuring that the computers inside their company will be updated and hardened against the latest threats.

If you’re a home user running a modern version of Windows, the updates should hopefully be automatically downloaded to your PC without too much interference – for many, the most they might see is a request to restart the computer if a particularly fiddly fix is trying to install itself.

Sure enough, on Tuesday this week Microsoft issued its December 2015 bundle of patches – fixing everything from Internet Explorer to Microsoft Edge (the new name for Internet Explorer) to Microsoft Office and Windows itself.

But what you may have missed is that on the same date Microsoft issued a separate advisory, warning of what appears to have been an embarrassing blunder on the company’s part:

“Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks.”

If everything was working properly, users should be able to communicate securely with Microsoft’s Xbox Live website via HTTPS/SSL – safe in the knowledge that nobody could snoop upon the communications and steal data as it passed en route. Furthermore, you should be able to feel confident that the information being sent to you from xboxlive.com really is from the legitimate Xbox Live website.

But because the XBox Live website’s private key somehow came to be leaked online, all bets are off.

A malicious attacker could in theory use the leaked security certificate to launch a man-in-the-middle attack, intercepting Xbox Live usernames, passwords and even payments made by game players.

It all sounds rather bad.

Fortunately. there is some positive news. Firstly, Microsoft has started pushing out updates to the likes of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows 10 Version 1511, and for devices running Windows Phone 8, Windows Phone 8.1, and Windows 10 Mobile – all of which come with an automatic certificate trust list updater.

If you’re running an older version of Windows, then you should install the automated updater for untrusted certificates that is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

There’s some more reassurance, in that Microsoft has confirmed that the leaked certificate cannot be used to issue other certificates, impersonate other domains, or sign code.

In further good news, Microsoft says that it has seen no indication that any malicious hackers have been exploiting the blunder. With luck, things will stay like that.

But questions have to be asked as to how Microsoft’s security certificate for xboxlive.com managed to leak onto the internet in the first place. This is information that should be treated like the Crown Jewels, heavily defended from unauthorised access because of the potential for serious harm to be caused.

We have to be thankful that remediating the problem is as simple as updating the list of trusted certificates, but you really would hope that a software giant like Microsoft would have such important security certificates under tighter guard than this.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.