Microsoft has been forced to update its Certificate Trust list (CTL) for all supported releases of Microsoft Windows after it had inadvertently leaked private security keys for its xboxlive.com domain.
The firm said in a security advisory that it was aware that a digital certificate for the domain had private keys that were 'inadvertently disclosed' and that the certificate could be used in attempts to perform man-in-the-middle attacks, such as tricking an Xbox user into handing over their username and password, leading to other attacks.
However, it added that these keys 'cannot be used to issue other certificates, impersonate other domains, or sign code'.
“To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate,” Microsoft said in a statement.
While Microsoft made the admission of the leak, it did not specify how it happened but said that it was “not currently aware of attacks related to this issue”.
Patrick Hilt, CTO of Miracl told SCMagazineUK.com that the incident underscores a fundamental architectural flaw inherent to the design of PKI, which is the security infrastructure that underlies digital certificates.
“Whoever holds a certificate authority's root key can issue a legitimate certificate to perform a man in the middle attack, decrypting traffic that is meant to be secured between a client and a server,” he said.
“The commercial digital certificate industry in general, is broken, and it needs to be replaced. This latest incident is just one of many whereby the commercial certificate authority's position as a single point of trust is causing serious problems,” said Hilt.
He added that Microsoft took the correct steps for a short-term solution by updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate.
“Unfortunately it's just mitigation. Older versions of Windows don't automatically update the CTL unless CTL updater service is manually installed, which will leave some machines open to a MITM attack,” he added.
“In the long term, the tech industry must realise that PKI isn't fit for purpose since the single entity holding the root key can have such an adverse impact on the trust relationship with end users. We need a paradigm shift towards distributed trust. Under such a paradigm, compromised of one of the trust roots will not enable an attacker to implement an attack.”
John Gunn, vice president at Vasco Data Security told SCMagazineUK.com that a large-scale attack that would place significant numbers of XboxLive users at risk “are simply not going to happen”.
“The leak does open the door to possible man-in-the-middle attacks, but hacking organisations with the potential to inflict serious damage have other methods of attack that will yield better results than this could,” he said.
Gunn added that leaked certificates could enable an MitM attack and capture a user's login credentials (user name and password).
“Then, if an organisation did not use two-factor authentication and had weak access privilege management, they would have a higher level of exposure to this and many other attacks. Most companies who have implemented basic IT security defences are not at risk because of this leak.”
Gunn added that as far as the likely cause of the leak, it was either down to someone not adhering to a security protocol or procedure, or the procedure was faulty, with the former being far more likely.
“It is doubtful that Microsoft will ever disclose this information in detail,” he said.
Kevin Bocek, vice president of Security Strategy & Threat Intelligence at Venafi, told SCMagazineUK.com that Microsoft has a “poor record” on certificate security, from the Flame malware due to MD5, through to expired certificates causing Azure Storage outages.
“That said, it's an issue for every organisation, not just Microsoft,” he said. “Over the past five years we have seen a huge rise in trust-based attacks using digital keys and certificates – with some being sold and traded on the dark web. One of the problems is that companies simply aren't keeping proper tabs on their keys and certificates, so it is easy for hackers to pick them up and use them.”
Josh Goldfarb, CTO of Emerging Technologies at FireEye, told SCMagazineUK.com that although there is potential for abuse here, the risk is relatively easy to remediate by updating the list of trusted certificates. “It should also be noted that this issue is not produced through a vulnerability or flow in the operating system of the computing device itself,” he said.
