Microsoft disclosed the leak of website security certificates for “xboxlive.com” in a recent security advisory. The possibility for attackers to now impersonate the service’s website is a reality. Microsoft did not disclose details of how the leak occurred within the advisory.
The attacker could attempt to trick users into handing over user names and passwords using the fraudulent website cert. The good news is that the leaked certificate can’t be used to generate new certificates, impersonate other domains, or sign code.
Microsoft said it wasn’t aware of any attacks relating to the accidental leak, however.
The company has revoked trust in the certificate, which more often than not is an automatic process for all supported versions of Windows and users do not have to take any action.
As an addendum, Microsoft has released a variety of fixes for issues in it’s products for this month. One of the biggest vulnerabilities affects all supported versions of Windows OS and relies on a memory corruption issue. Said issue could allow an attacker to install malicious software on unpatched machines.
A second major vulnerability exists in all versions of Internet Explorer in the form of a privilege escalation flaw. Said vulnerability could allow an attacker to gain the same user privileges as the victim account.
