"Thursday's unscheduled update effectively blocks highly sensitive secure sockets layer (SSL) certificates covering 45 domains that hackers managed to generate after compromising systems operated by the National Informatics Centre (NIC) of India. That's an intermediate certificate authority (CA) whose certificates were automatically trusted by all supported versions of Windows"
I'd argue that's a problem in CA trust model, not MS. If you trust a certain CA, of course you trust their issued certificates by design. Currently, if some high tier CA f*cks up, there's no other way to invalidate their issued certificates than propagating CRLs and removing its certificate from the root CA stores manually (or by updates, as in MS case).
