Microsoft has recently updated its Certificate Trust List following a disclosure of private keys that belonged to a digital certificate as part of its Xbox Live domain (*.xboxlive.com). The company has also revoked the trust for the affected certificate and has released a security advisory to inform users of this issue.
While Microsoft has stated that it is not "currently aware of attacks related to this issue," it affects all supported releases of Microsoft's Windows operating system and may allow an attacker to use the affected certificate to perform a man-in-the-middle attack against unprotected users and properties. In spite of this, Microsoft also notes that the issue "cannot be used to issue other certificates, impersonate other domains, or sign code."
Users who keep their recent versions of Windows automatically up-to-date should be protected from the issue as these operating systems are able to update their certificate trust lists automatically.
The situation is slightly different for users of previous Microsoft operating systems including Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. Unless users have previously installed an update that enables automatic certificate trust list update functionality, referred to as KB2677070, then these systems will be vulnerable. Users can verify whether they are protected by checking the Application log in the Event Viewer or the Certificates Microsoft Management Console (MMC) snap-in for the new certificate.
Source: Microsoft via PC World | Binary Code image courtesy of Shutterstock