Sounds familiar. It's been long enough that I don't remember specifics off the top of my head, though.

Exactly... As long as you can sign them, the OS (or, more specifically in this case, ActiveX control) will assume they're good and install them.

How about this as a hypothetical situation: France does not permit encryption for civilian use. Assuming that Windows Update operates without encryption on French-language versions of Windows (which must suck if you live in, say, Senegal or Canada), someone does a pcap of a WU session on a French release, and compares it to one of the US English release. Taking the two streams side-by-side would be useful in understanding the encryption of the US version, if not others.

(Note: It's probably safe to assume that Microsoft has dispensation from the French government to allow crypto in Windows Update; if they didn't, someone would almost certainly have done this by now. But this is entriely hypothetical, after all.)

What to do with the presumably-cleartext stream from the French version should be pretty straightforward: locate the keys used to sign the package and extract them, then figure out how to forge a signature well enough that it passes through the WU ActiveX control and allows a package to be installed. Granted, this is easier said than done but does demonstrate that the basic principles behind installing bogus updates aren't reaching into the realms of science fiction.

Also, I believe that WU stores the IP address (not DNS name) of the WU server it should contact first in the ActiveX control in an encrypted format. Replace that (see: another mass-mailing worm) and there's a lot of potential for huge damage.