Microsoft Patches Windows Phone Against Comodo Hack
Users who jailbroke their phones to get early access to Microsoft's NoDo update are finding they can't get the latest patch, intended to protect against the fraudulent SSL certificates issued by Comodo.
Microsoft is rolling out updates to devices and platforms, including Windows Phone 7, affected by the fraudulent SSL certificates issued by Comodo. It is nice to see Microsoft both willing and able to get updates out to its phone platform in a timely manner. After the delays of the February 2011 update and the March NoDo update, people were beginning to wonder.
Just this week Microsoft started rolling out NoDo to the HTC Surround on AT&T and to customers of Optus in Australia. Telestra customers are in the "scheduling" phase which means they should get the update in a few days. NoDo was released in March, so for some this is coming six weeks late.
As a result of being forced to wait by some carriers that didn't take their customers' desire for copy and paste seriously, some people took a shortcut. There was a hack (by the same people that gave us Chevron7) that would download the update directly from Microsoft, bypassing the carrier entirely. Microsoft warned that this wasn't a smart thing to do. The consequences of this rogue update process may leave the phone in an unpredictable state and prevent further updates. Turns out Microsoft was right.
The Comodo issue involved mail.google.com, login.live.com, login.skype.com, www.google.com, and five other popular sites. While Comodo has added the bad certificates to its certificate revocation list, Microsoft decided to patch Windows Phone 7 as well as most of its supported desktop platforms. Windows Mobile 6.x, the Kin, and all Zune devices are affected as well, but no word yet on whether or not they will get updated.
As Microsoft began releasing the new update, dubbed 7392, it discovered that phones that had the Chevron7/NoDo hack wouldn't take the update. Their response? "We told you so" about sums it up. Honestly, I see no other reasonable response for Microsoft to make. Why should they spend any resources customizing an update to work on a device that has been hacked and configured in an unexpected way?
That said, the creators of Chevron7 developed another fix to undo the mess they made and Microsoft worked with them to verify it put the devices back the way they were so 7392, and presumably future updates, would take.
Let us know if you have a Windows Phone 7 device and when 7392 starts rolling out for you.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.