The Flame used a MITM attack on users via a forged Microsoft certificate. Yes, it attacked you via Windows Update – it sucks but this can happen. Windows update does use a secure connection but apparently one of the certs was using a weak cryptographic hash (this is the most likely avenue of attack, not confirmed that it wasn’t hacked, Microsoft says ‘collison attack’) and, as I posted about the other day, Flame used this against its victims.
This is scary in that it’s kinda like your antivirus being exploited or some such thing. Updates should keep you safe, not put you in danger.
That said this wasn’t a typical case. While it still demonstrates the issue of trusting a single authority to verify contents (I’m not sure how well the Windows Update feature is handled, Linux has a lot of verification) it isn’t the typical case – they needed a few things to line up and one of those was probably a really weak cert as well as a mistake that led to those certs being connected to root certs. Most root certs aren’t MD5 anymore so it makes things more difficult for attackers to MITM without outright stealing them.
A lot of people have been critical of Chrome and Adobe Flash’s new autoupdate features. They say that this will be exploited. While it’s possible it isn’t hard to make autoupdating fairly difficult to hack, it’s a matter of strong crypto and a lot of verification. Remaining up to speed on patches is far more important than worrying about targeted attacks involving hacked certs – exercise some risk management here.
Think about it this way. If you didn’t ever update you were safe from the Flame directly trying to MITM you but it also attacked you using vulnerabilities that have patches out already. And there are a hundred other vulnerabilities it could have used if you hadn’t patched.
If you’re super paranoid you can try to download patches directly from what you can verify is a ‘trusted’ network and then implement them like hotfixes. I don’t recommend this. In fact, forget I said it.
Anyways, (and I say this with full knowledge of the irony) you should run Windows Update to remove the faulty certs.
If you’re fully up to date that should really cover it for preventing Flame infections.