[buffoon]

That might have been the only text that allowed the updated to be signed.

[dpark]

That's an interesting theory, but seems unlikely given that the TLDs are all real. Also that would imply a successful hash collision attack which seems exceedingly unlikely. And if true, why not mutate some random bytes in the payload to get the collision rather than the update text (which also may not actually even be stored as part of the signed update).

[anonymfus]

May be their attack is so specific that they could only use Microsoft signed files in update payload, so they send old vulnerable versions.

[dpark]

That would be an amazing exploit. I doubt it's the case, and I hope it's not, but it would be pretty amazing.