Microsoft leaks Xboxlive SSL server cert

Patch Tuesday not over yet

FAIL scrabble by https://www.flickr.com/photos/jeffdjevdet/ CC 2.0 attribution generic

Redmond is scrambling to propagate a new certificate for the *.xboxlive.com domain, having “inadvertently disclosed” the certificate's contents.

In its advisory, Microsoft says the accidental disclosure of the cert's private keys could expose customers to man-in-the-middle attacks, although the cert “cannot be used to issue other certificates, impersonate other domains, or sign code”.

Redmond doesn't say how many people may have seen the certificate.

All supported releases of Microsoft Windows carry the Xboxlive certificate, but revocation – which the company has in hand, it says – should propagate to everybody automatically.

If you're using anything from Windows 8 onwards, the process will be automatic. Users of Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2 will be covered if they use the automatic certificate updater, which Microsoft points to here.

If you're not covered by the automatic update, Microsoft says you should add this to your untrusted certificates, using the Certificates MMC snap-in.

It's unlikely that the leak has been used in any active attacks. The certificate slip is in addition to Microsoft's mammoth 71-bug salute to Patch Tuesday. ®




Biting the hand that feeds IT © 1998–2018