In other words
Someone has figured out how to spoof the M$ update system to install malware on your PC device.
An out of band patch, from none other than Microsoft, sounds like a familiar cause of a couple of panicked late nights. Rest easy today, dear readers, for even though that combination has arrived this time there's little need for alarm. The patch in question applies to Windows Update, the bit of Windows that downloads and …
"MS will care about Win 7 as it still makes money from it, when it drops off like XP then it'll all change."
I would lay a reasonable amount of money that MS will still be caring about 7 long after 8 has been consigned to the "Seemed like a good idea at the time" dustbin of history given the number of corporate customers who are using 7. I suspect 7 will be the new corporate XP and will still be found around offices in 10 years time.
I know Vista is on security updates only mode, but given this was described as it "further enhances the security of Windows Update" I wondered why that was not covered.
Thankfully I personally don't have to deal with Vista on a daily basis, my own needs (which are not internet-facing) are covered by XP in a VM.
With Heartbleed a few months ago and that the patches for OpenSSL would be done getting applied right now, I think this patch is Microsoft revoking old certificates and rolling out new ones to be on the safe side. Having it separate from the other updates makes sense if they don't want it to end up in the middle and kill any secure session with the Windows Update servers mid-patch or mess with code signing or something.
I know that Microsoft doesn't use OpenSSL, but whoever supplies them certificates might.
"With Heartbleed a few months ago and that the patches for OpenSSL would be done getting applied right now, I think this patch is Microsoft revoking old certificates and rolling out new ones to be on the safe side"
I'm pretty sure none of Microsoft's internet facing stuff relies on insecure Open Source stuff these days...
http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx
"I know that Microsoft doesn't use OpenSSL, but whoever supplies them certificates might."
Nope. Microsoft don't use any of that rubbish in their PKI infrastructure:
http://www.microsoft.com/en-us/download/details.aspx?id=27581
Do not understand how PKI works? Microsoft certificates and certificate authorities are signed by a third party CA, Baltimore CyberTrust, who may be the ones that use OpenSSL.
It is likely that Baltimore CyberTrust will be re-issuing certificates and revoking the old ones as a precautionary measure in the astronomically low chance that anything was actually compromised, so Microsoft needs to get the new ones in the hands of their users before BCT revokes the old ones.
I assume you posted anonymously because you are embarrassed by the fact you don't know a damn thing about what you are talking about.