The company is removing the trust of certificate from all of its products and services.
Advertisement
In the said advisory, Microsoft announced that the private keys to the *.xboxlive.com domain had been “inadvertently disclosed”.
The certificate could be used in attempts to perform man-in-the-middle attacks. There is no information about how this leak happened, however, to remedy the problem, Microsoft has updated its CTL for all the releases of Microsoft Windows.
“The certificate can be used by an attacker to impersonate the xboxlive.com domain and carry out a so-called “man-in-the-middle” attacks, which allows the attacker to intercept the website’s secure connection”, ZDNet explains. Essentially meaning that the impersonation can trick an Xbox user into handing over their username and password, which means even further attacks. Eight of these updates are rated as critical and two in particular were classified as vulnerabilities already known to be subject to attacks.
Sure enough, on Tuesday this week Microsoft issued its December 2015 bundle of patches – fixing everything from Internet Explorer to Microsoft Edge (the new name for Internet Explorer) to Microsoft Office and Windows itself. It allows the players to experience games from the previous-generation console on the new Xbox, so there’s continuity and the users wouldn’t have to say goodbye to old favorites to make the jump to the new platform.
If everything was working properly, users should be able to communicate securely with Microsoft’s Xbox Live website via HTTPS/SSL – safe in the knowledge that nobody could snoop upon the communications and steal data as it passed en route.
Advertisement
More details about this security issue are available at Microsoft’s website.
