Microsoft updates its Certificate Trust list due to Xboxlive.com certificate leak

Microsoft is trying to deal with a security issue that could allow malicious users to trick a Windows users into giving out their Xbox Live username and password. The problem was revealed this week when the company issued a security advisory, stating that the private keys to the digital certificate for the xboxlive.com web site had been "inadvertently disclosed".

The statement said:

"Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue."

Microsoft has already updated its Certificate Trust list for all versions of Windows, so that the leaked certificate for xboxlive.com has been revoked. The company did not reveal how the certificate had been disclosed in the first place.

Source: Microsoft; Via: ZDNet

John Callaham