Microsoft has updated its Certificate Trust List (CTL) in response to the private key for xboxlive.com being leaked online through a SSL/TLS digital certificate. The CTL has been updated for all supported releases of the Windows operating system.
While Microsoft has not provided details on how the leak occurred (the company only noted that the certificate for *xboxlive.com was "inadvertently disclosed"), it has revealed the compromised certificate could potentially be used by attackers to perform man-in-the-middle attacks against Xbox Live customers.
This issue affects all Windows operation systems that are still supported by Microsoft including Windows 10, Windows Server and Windows Phone. You can see the full list of affected operating systems on Microsoft's Security Advisory 3123040.
According to Microsoft:
"To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate."
Users of the following Windows operating systems will have their certificate trust lists updated automatically:
- Windows 8.1, Windows RT
- Windows RT 8.1
- Windows Server 2012
- Windows Server 2012 R2
- Windows 10
- Windows 10 Version 1511
- Windows Phone 8
- Windows Phone 8.1
- Windows 10 Mobile.
"For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of certificate trust lists (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action as these systems will be automatically protected."
Microsoft has not provided recommendations on what to do if you run on other affected Windows operating systems.
Yesterday, Microsoft also released a dozen security patches, most of which were for "critical" vulnerabilities on Windows operating systems.