Crypto API has implemented a methodology to allow application developers to create applications that automatically verify certificates against a predefined list of trusted certificates or roots.

This list of trusted entities (called subjects) is called a certificate trust list (CTL).

The information provided in this advisory is provided "as is" without warranty of any kind.

updating windows latest security warning-10

In all forms of cryptography, a value known as a key is used in conjunction with a procedure called a crypto algorithm to transform plaintext data into ciphertext.

In the most familiar type of cryptography, secret-key cryptography, the ciphertext is transformed back into plaintext using the same key.

However, in a second type of cryptography, public-key cryptography, a different key is used to transform the ciphertext back into plaintext. In public-key cryptography, one of the keys, known as the private key, must be kept secret.

The other key, known as the public key, is intended to be shared with the world.

For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of certificate trust lists (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action as these systems will be automatically protected. The SSL/TLS certificate could be used to perform man-in-the-middle attacks against Xbox Live customers. The issue was caused by the inadvertent disclosure of private key information for a cryptographic certificate for *.

Does this update address any other digital certificates?

What is Microsoft doing to help with resolving this issue?

Although this issue does not result from an issue in any Microsoft product, we are nevertheless updating the CTL and providing an update to help protect customers.

Microsoft will continue to investigate this issue and may make future changes to the CTL or release a future update to help protect customers.