December Patch Tuesday avalanche of patches includes leaked Xbox certificate
Today, Microsoft issued three new security advisories and a dozen new patches in the company’s monthly round of security updates. And one of the advisories was apparently the result of a security fumble by Microsoft's internal IT team—the inadvertent disclosure of the private encryption keys for a wildcard SSL/TLS certificate.
The certificate, which was used for Microsoft's xboxlive.com domain, has been revoked on Microsoft's Certificate Trust list, but it could potentially be used to attack systems that haven't been updated in man-in-the-middle attacks that "spoof" the Xbox Live network. Microsoft isn't saying how the certificate was "inadvertently disclosed", but it's likely that the "wildcard" certificate was accidentally shared with a partner. It's unlikely that the certificate will be used for an attack now that it's been revoked, but systems that don't regularly get their certificate trust lists updated might still be vulnerable.
System administrators have a bigger headache to deal with: an update issued today for Microsoft Windows DNS that patches a remote code execution vulnerability. Rated "critical" by Microsoft, the bug in DNS affects Windows Server 2008 and later. It could allow an attacker to send a "specially-crafted" Domain Name Service request to a Windows DNS server that can run commands on the server with the permissions of the Local System account—giving the attackers a wide range of access to the server that could easily be escalated.