Recently we brought you the news of 9 rogue SSL certificates that were issued after an affiliate to an Internet security firm was compromised. The certificates impact popular domains, making them a real threat.
According to Comodo, the firm whose affiliate was cracked, the attack was executed by a nation-state.
Microsoft is scrambling to protect its products from the potential vulnerabilities, and plans to release a Windows Phone 7 update to block the fake SSL certificates.
According to a statement received by WinRumors, Microsoft had this to say on the matter: “Fraudulent digital certificates are not a Microsoft security vulnerability. We have been working to develop a mitigation update for Windows Phones.”
That raises two immediate questions: how will the update be delivered, and when. Given the bungling of recent updates by Microsoft, there is little market confidence in the ability of Microsoft to actually successfully execute an update. Microsoft could attempt to send the patch ‘over the air,’ but after having such a struggle with the simpler, and more traditional, system of plugging a phone into a computer to receive an update, we doubt that that will be the case.
Microsoft has no current time frame as to when the update will be made available, stating that it will provide “additional guidance as it comes available.”
Should you be worried? If you are accessing the listed sites here on your WP7 handset, maybe a very little bit. However, if you are on a desktop PC, Microsoft has an update in the works that will sort your computer with no effort on your part.
We will bring more details as the become available.