The hacker known as Comodohacker who allegedly broke into Dutch certificate authority DigiNotar and made off with hundreds of fraudulent digital certificates has stepped forward with the claim that he can issue fake Windows updates.

In a message posted on Pastebin, Comodohaker wrote: "I'm able to issue windows update, Microsoft's statement about Windows Update and that I can't issue such update is totally false! I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API."

For its part, Microsoft (NASDAQ: MSFT) says that the Windows Update client will only install binary files that are signed by the root CA certificate of the company. Despite taking steps to revoke certificates from DigitNotar, the company has maintained that "Windows Update itself is not at risk, even to an attacker with a fraudulent certificate."

What Microsoft says make sense, and administrators can probably heave a collective sigh of relief that they are not under imminent security threat. 

In the same message however, Comodohacker reiterated that he has access to four more certificate authorities, which is worrying for the additional havoc that may yet result. With trust being of paramount importance where digital certificates are concerned, confidence is currently at a low given the certificate authorities that were compromised with seeming impunity.

For more:
- check out this article at CNET News
- check out this article at New York Times

Related Articles:
Mac OS X bug leaves Safari users susceptible to fake DigiNotar certificates
Certificate authority DigiNotar suspends sales after Google hack