"Once they confirmed [the certificate theft], it filled in the missing puzzle pieces," Liam O Murchu, director of operations for Symantec's security response center, said in an email reply to questions. "Without a Microsoft certificate these components did not make sense."
But it may be Microsoft's own moves since Monday, May 28, when Kaspersky Lab first released an analysis of Flame, that is the best evidence of the hack's gravity.
"You can get a pretty good idea by what Microsoft's done that they think this is very urgent," said Kandek. "They released the patch on Sunday, even though Patch Tuesday was just a little over a week away."
June's Patch Tuesday -- the name for Microsoft's religiously-scheduled security updates -- is next week.
Microsoft revoked three certificates -- those used to sign code in Flame -- on Sunday, June 3, only six days after Kaspersky disclosed the malware, an extremely rapid response for the company. The same day, Microsoft modified the Terminal Services licensing certificate authority (CA), the one hackers had exploited, so it could no longer issue code-signing certificates of any kind.
It's rare that Microsoft issues an emergency update rather than wait for the next Patch Tuesday. Last year, Microsoft shipped only one, and that was just two days before 2011's close. In 2010, Microsoft delivered four out-of-band updates and 104 on Patch Tuesdays.
On Wednesday Microsoft announced it would revamp how Windows updates are secured, saying that it would dedicate a new CA to Windows Update, in effect unlinking the service from all other Microsoft-generated certificates. The update to end users and enterprises -- the latter for WSUS, or Windows Server Update Services -- is to start reaching customers this week.
Andrew Storms, director of security operations at nCircle Security, said that should have been how Microsoft treated Windows Update from the get-go.
"Windows Update should have been an entirely different [certificate] stream than anything else," said Storms. "It's just too darned important to have been intermingled with any other chain of trust. For all that Microsoft has done to better their security practices, I'm pretty surprised they didn't think of this attack vector previously."
Storms was also critical of Microsoft's vague description of their plans to harden Windows Update.