Microsoft set to release security update for Windows Phone 7 to block SSL certificates, that may potentially hamper users of the WP devices. Microsoft had previously warned of the following sites that appear to exist fraudulently:
login.yahoo.com (3 certificates)
While it’s currently unclear how Microsoft intends to distribute the patches for their handsets, it’s possible that they’ll use the ‘over-the-air’ update system, as opposed to a major firmware update. Microsoft’s Trustworthy Computing manager, Bruce Cowper, had this to say:
Fraudulent digital certificates are not a Microsoft security vulnerability. We have been working to develop a mitigation update for Windows Phones.
Interestingly, Comodo themselves appear to believe that the attacks could be politically-motivated, or state-driven. Melih Abdulhayoglu, Comodo’s founder, had this to say about the attacks:
First time we’re seeing a “state funded” attack against the “Authentication” infrastructure. The Threat Model is changing and Comodo had already initiated a proposal for new standards in 2010 which would help mitigate some of these attacks. We’ll make sure to double our efforts in getting industry wide acceptance to these much needed standards so that we can continue to defend our security and freedom.