Microsoft on Tuesday released the first security update for Windows Phone 7, replicating for smartphone users a patch the company gave Windows desktop users six weeks ago.
When the update will actually reach users is unclear.
"At the time of release, the update is not available for all Windows Phone 7 customers," Microsoft said in a security advisory. "Instead, customers will receive an on-device notification once the update is available for their phone."
Tuesday's update is designed to blacklist nine digital certificates acquired by a hacker in March from Comodo, one of many companies that issues SSL (secure socket layer) certificates.
"This update moves the affected certificates to the 'Untrusted Publishers' certificate store on Windows Phone, which helps ensure that these fraudulent certificates are not inadvertently used," Microsoft said in an explanation on its Windows Phone update history Web page.
Shortly after Comodo acknowledged the attack, an Iranian claimed responsibility for hacking into the company's network and making off with the certificates.
On March 23, Microsoft updated Windows XP, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2 to add the stolen certificates to each operating system's blacklist. Google and Mozilla had updated their Chrome and Firefox browsers earlier.
Microsoft did not respond to questions Tuesday, including why the Windows Phone 7 update was released six weeks after the Windows desktop patch.
In a blog post, a Microsoft executive said the update would not reach all Windows Phone 7 users immediately.
"How you get 7392 depends on your mobile operator and what updates you've installed," said Eric Hautala, general manager of Windows Phone 7's customer experience engineering team, in a May 3 blog. "Customers with Deutsche Telekom and Optus, for example, will receive 7392 and the March update together ... [but] if you've already installed the March update, you'll receive 7392 as a standalone download or bundled with a future update."
Hautala's reference to "7392" was to the patch that adds the stolen Comodo certificates to the Windows Phone 7's blacklist. When a smartphone receives the update, it displays "OS version: 7.0.7392.0" in the device's Settings screen.
According to Microsoft's timetable, all U.S. users of Windows Phone 7-powered smartphones have already received the March update -- dubbed "NoDo" by the company -- or are in the process of receiving that update, making it uncertain when they would get the certificate-related update.
Several HTC and LG smartphone owners reported on various Windows Phone 7 forums Tuesday that they had received the update, however.
Sign up for Computerworld eNewsletters.