Microsoft Update is the very system Microsoft employed to distribute Monday's emergency security update. The service is used to issue security updates for Internet Explorer, Office, and Windows Live.

Microsoft revoked trust for two Microsoft Root Authority certificates and one from Microsoft Root Certificate Authority after discovering that its Terminal Services licensing certificates--normally issued for enterprise server license verification--could be used to sign any code as having been made by Microsoft.

Microsoft's security update prevents attackers from signing code that fraudulently validates any software as Microsoft's.

According to F-Secure's chief research officer, Mikko Hypponen, the fake certificates were used to validate one of Flame's modules which attempts to do a MITM attack on Microsoft Update. If successful it drops a file called "WUSETUPV.EXE".

"This file is signed by Microsoft with a certificate that is chained up to Microsoft root. Except it isn't signed really by Microsoft," in an update Monday evening.