Agreed. Personally I wouldn't care if anyone intercepted a message saying what app I just installed. The author also neglected to mention if the payload contains anything that identifies the user.
It's SSL, how are you supposed to be able to read the Payload? The article also explicitly mentions that no tests were run to figure out whether SSLv2 is used by the client.
You wouldn't personally care if messages were intercepted regarding the apps you're installing, but imagine the kind of leverage it would give someone trying to profile a network of activists in Syria. The exact version number of every app on every computer, perfect for studying the exploit surface.
The article doesn't actually say that Microsoft is using SSLv2, but if they were, then someone could potentially execute a man-in-the-middle attack against a user of the service. Which is to say, they'd know exactly what you're downloading, along with any other information this services sends to Microsoft, and they'd be able to provide you with fake results for the software safety check that this service provides. Odds are they would also have your IP address, so they could also potentially link this to you (e.g. via your other browsing behavior over insecure HTTP). It would be a pretty serious flaw.
