This past March, one of the companies charged with verifying the identities of entities applying for SSL certificates got a little lax in its security protocols, letting some bad guys issue themselves some fraudulent SSL certs. In theory, someone could use one of those files to impersonate a legitimate website, while your browser would think everything was still kosher. Luckily, since we know of the certificates’ existence, we can tell web browsers to red flag them as invalid. Microsoft, for one, responded by informing Windows Phone 7 users that it would be issuing an update to make this change, blocking the certs. Then in April we heard a rumor that the security update would be coming out today, May 3. Sure enough, Windows Phone update 7.0.7392.0 is now available.
We initially had hopes that, because this update would be so small when compared to previous releases, only needing to change a few lines of text, Microsoft might make it the first Windows Phone 7 update to be distributed OTA. Instead, we’re hearing that it’s another case of OTA notifications, but with a Zune connection required to actually download and install the patch.
While the chances of anyone actually trying to implement an attack based on this vulnerability is very low, considering the effort needed to set up a man-in-the-middle situation and the very public revelation of the threat, do yourself a favor and take a moment to install Microsoft’s update, if only to have a fully up-to-date WP7 smartphone.