Microsoft is warning XBox Live users of possible man-in-the-middle (MitM) attacks after accidentally leaking users’ private keys.In an advisory released on December 8th, Microsoft states that a a disclosed digital certificate could lead to spoofing attacks against users.“Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed,” the statement begins. “The certificate could be used in attempts to perform man-in-the-middle attacks.”While it does affect all supported releases of Microsoft Windows, the exposed digital certificate cannot be used to issue other certificates, impersonate other domains, or sign code.The main threat against users comes in the form of MitM attacks, in which an attacker could impersonate the “.xboxlive” domain and attempt to intercept the website’s secure connection.“Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user,” Microsoft explained, as reported by Techworm.Such traffic could relay user information or sensitive data, including usernames and passwords, to the attacker, which could allow for subsequent attacks in the future, notes ZDNet.At this time, Microsoft is not currently aware of attacks related to this disclosure.
To protect users against fraudulent activities, Microsoft has invalidated the exposed certificate and is updating the Certificate Trust List (CTL) so that all versions of Microsoft Windows no longer trust the certificate.No action is required on the part of users running Windows 8 and up. However, to prevent a possible hack in the future, observes International Business Times, it is recommended that users set up automatic updates for all supported releases of Microsoft Windows.The disclosure of the certificate was included in 12 security bulletins released this week by Microsoft. You can read the analysis of Tripwire’s Vulnerability and Exposure Research Team (VERT) regarding those bulletins here.