Microsoft issues first Windows Phone 7 security update - update
Microsoft has released the first security update for its Windows Phone 7 smartphone operating system. According to the company's Windows Phone update history page, update 7.0.7392.0 includes a critical fix that addresses the problem of fraudulent SSL certificates which were issued after an attacker compromised the Comodo SSL Certification Authority. At the end of March, browser makers began blocking the fake certificates for the login.live.com, mail.google.com, www.google.com, login.yahoo.com, login.skype.com and addons.mozilla.org domains.
Microsoft notes that, as these untrusted certificates could be used to spoof content or perform phishing or man-in-the-middle (MITM) attacks, all users are advised to upgrade; however, in its security advisory, the company says that "the update is not available to all customers at the time of release."
In mid-April, Apple released updates for its iOS mobile operating system and Security Update 2011-002 for systems running versions 10.5 and 10.6 of Mac OS X to block the fraudulent SSL certificates noted above.
Update: In a post on the Windows Phone Developer Blog, Microsoft's Brandon Watson has confirmed that users who have previously updated their Windows Phone 7 devices via an unofficial update tool will not be able to update to the version with the security fixes.
According to Watson, the unofficial process performed an incomplete update which left the phone in an unknown state; the official update process will not run if the phone is in an unknown state. Watson says there is currently no fix from Microsoft for the update problem but that the creators of the unofficial update tool are working on the issue and the company will help to validate their correction.
- Fraudulent Digital Certificates Could Allow Spoofing, security advisory from Microsoft.
- Proposals for the future of certificates, a report from The H.
- Comodo: two more resellers were compromised, a report from The H.