Private keys for xboxlive.com were “inadvertently disclosed”

Xboxlive.com and its accompanying security certificate have been deemed invalid. According to Microsoft, the “xboxlive.com” domain has had its digital certificate disclosed and is no longer secure. In an advisory issued on the company’s Security TechCenter, Microsoft explains the issue further.

“The certificate for the private keys were inadvertently disclosed,” the posting said, and it continues to state that the company “is not currently aware of attacks related to this issue.” The insecurity affects all currently supported versions of Windows, and automatic updates were sent out on Tuesday to update the certificate trust lists in affected software.

The update was rolled out as an automatic update to Windows 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 R2, Windows 10, and Windows 10 Version 1511. For Windows Phone 8 and 8.1, as well as Windows 10 Mobile, an update was also rolled out to users.  For older operating systems like Windows 7, Vista, Server 2008 and Server 2008 R2, no user action is necessary if utilizing the automatic updater for certificate trust lists.

Microsoft notes that this insecurity would, if the certificate trust lists aren’t updated, allow attackers to use the private keys to convincingly ask for login information and gain access using a ‘man-in-the-middle’ method. Since the issue is not currently part of any known attacks, the update should be taken as a precautionary measure.

Share This
Further reading: , , ,

Do you think Windows 10’s automatic update system helps to alleviate the problem of waiting for security updates?