Microsoft Releases First Windows Phone Security Update
Microsoft has released the first security update for Windows Phone 7, replicating for smartphone users a patch the company gave Windows desktop users six weeks ago.
When the update will actually reach users is unclear.
"At the time of release, the update is not available for all Windows Phone 7 customers," Microsoft said in a security advisory . "Instead, customers will receive an on-device notification once the update is available for their phone."
Tuesday's update is designed to blacklist nine digital certificates acquired by a hacker in March from Comodo, one of many companies that issues SSL (secure socket layer) certificates.
"This update moves the affected certificates to the 'Untrusted Publishers' certificate store on Windows Phone, which helps ensure that these fraudulent certificates are not inadvertently used," Microsoft said in an explanation on its Windows Phone update history Web page.
Shortly after Comodo acknowledged the attack, an Iranian claimed responsibility for hacking into the company's network and making off with the certificates.
On March 23, Microsoft updated Windows XP, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2 to add the stolen certificates to each operating system's blacklist. Google and Mozilla had updated their Chrome and Firefox browsers earlier.
Microsoft did not respond to questions Tuesday, including why the Windows Phone 7 update was released six weeks after the Windows desktop patch.
In a blog post, a Microsoft executive said the update would not reach all Windows Phone 7 users immediately.
"How you get 7392 depends on your mobile operator and what updates you've installed," said Eric Hautala, general manager of Windows Phone 7's customer experience engineering team, in a May 3 blog . "Customers with Deutsche Telekom and Optus, for example, will receive 7392 and the March update together ... [but] if you've already installed the March update, you'll receive 7392 as a standalone download or bundled with a future update."
Hautala's reference to "7392" was to the patch that adds the stolen Comodo certificates to the Windows Phone 7's blacklist. When a smartphone receives the update, it displays "OS version: 7.0.7392.0" in the device's Settings screen.
According to Microsoft's timetable, all U.S. users of Windows Phone 7-powered smartphones have already received the March update -- dubbed "NoDo" by the company -- or are in the process of receiving that update, making it uncertain when they would get the certificate-related update.
Several HTC and LG smartphone owners reported on various Windows Phone 7 forums Tuesday that they had received the update, however.
But some who had used an unauthorized tool last month to get the NoDo update said that they were unable to install Tuesday's patch.
After developer Chris Walsh released the tool in early April -- and before Microsoft asked him to pull it -- Hautala had claimed that users might not receive future updates, or could experience other problems if they used Walsh's software.
Walsh had stepped in when Microsoft was unable to promptly deliver a pair of promised feature-related, non-security updates for Windows Phone 7. By late March, users were ranting online about the slow progress of those updates, which eventually prompted a mela culpa from Microsoft's chief smartphone executive.
On Tuesday, Walsh reported that he had successfully retrieved and installed the security update on three different phones that he had earlier "walshed" -- the nickname others have given to the process of grabbing early updates using his tool -- but was asking others to share their experiences. Several responded, saying that they had received error code 81080005 after the updated failed to install.
To install the security update, users must connect their smartphone to a PC or Mac.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about security in Computerworld's Security Topic Center.