Microsoft Patches Windows Phone Against Comodo Hack
Users who jailbroke their phones to get early access to Microsoft's NoDo update are finding they can't get the latest patch, intended to protect against the fraudulent SSL certificates issued by Comodo.
Microsoft is rolling out updates to devices and platforms, including Windows Phone 7, affected by the fraudulent SSL certificates issued by Comodo. It is nice to see Microsoft both willing and able to get updates out to its phone platform in a timely manner. After the delays of the February 2011 update and the March NoDo update, people were beginning to wonder.
Just this week Microsoft started rolling out NoDo to the HTC Surround on AT&T and to customers of Optus in Australia. Telestra customers are in the "scheduling" phase which means they should get the update in a few days. NoDo was released in March, so for some this is coming six weeks late.
As a result of being forced to wait by some carriers that didn't take their customers' desire for copy and paste seriously, some people took a shortcut. There was a hack (by the same people that gave us Chevron7) that would download the update directly from Microsoft, bypassing the carrier entirely. Microsoft warned that this wasn't a smart thing to do. The consequences of this rogue update process may leave the phone in an unpredictable state and prevent further updates. Turns out Microsoft was right.
The Comodo issue involved mail.google.com, login.live.com, login.skype.com, www.google.com, and five other popular sites. While Comodo has added the bad certificates to its certificate revocation list, Microsoft decided to patch Windows Phone 7 as well as most of its supported desktop platforms. Windows Mobile 6.x, the Kin, and all Zune devices are affected as well, but no word yet on whether or not they will get updated.
As Microsoft began releasing the new update, dubbed 7392, it discovered that phones that had the Chevron7/NoDo hack wouldn't take the update. Their response? "We told you so" about sums it up. Honestly, I see no other reasonable response for Microsoft to make. Why should they spend any resources customizing an update to work on a device that has been hacked and configured in an unexpected way?
That said, the creators of Chevron7 developed another fix to undo the mess they made and Microsoft worked with them to verify it put the devices back the way they were so 7392, and presumably future updates, would take.
Let us know if you have a Windows Phone 7 device and when 7392 starts rolling out for you.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.