Microsoft moves to fix Windows Live security flaw

Microsoft is moving to prevent hackers from gaining a foothold through a security vulnerability associated with certain Windows Live Web addresses.

The company said Monday that a fraudulent security certificate was issued for its live.fi Web properties, potentially allowing hackers to “spoof content, perform phishing attacks” or intercept user traffic.

{mosads}Microsoft responded with a series of software updates, while certificate issuer Comodo has revoked the security designation.

“An email account was able to be registered for the live.fi domain using a privileged username, which was subsequently used to request an unauthorized certificate for that domain,” Microsoft said in an advisory.

The company urged users to update their software as soon as possible in order to protect themselves.

Updates associated with Windows 8 and 8.1 will block the certificate automatically, while the service must be installed by people using Windows 7 and Windows Server 2008.

Ars Technica’s Dan Goodin explained that the vulnerability appears to stem from “someone obtaining a e-mail address that’s typically reserved for website operators to demonstrate their control of given domain,” per Microsoft.

“The ease in obtaining such certificates and the difficulty in killing them off once they’re issued are potent reminders of the continued insecurity of one of the Internet’s most important security mechanisms. Until browser makers declare this credential dead, people visiting any Windows Live domain should remain extra vigilant,” Goodin wrote.