Hypponen called the exploiting of the Windows Update and Microsoft Update -- two names for essentially the same service -- "the nightmare scenario" in security professionals' minds.
Microsoft seemed less concerned with Flame itself -- and its use of Microsoft-signed certificates -- than with the possibility that what it called "less sophisticated attackers" could leverage the same flaw to launch broader malware campaigns.
The company's Jonathan Ness, an engineer with the Microsoft Security Response Center, provided more detail on Flame's code-signing in a post to the Security Research & Defense blog.
The "out-of-band" update can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Sign up for MIS Asia eNewsletters.