It is definitely complicated but I would not expect to see update problems. Rather, Windows XP users of IE could be susceptible to "man-in-the-middle" attacks until the Microsoft update is issued or they manually remove the DigiNotar certificate. However, don't forget that the SRD blog posts states that a man-in-the-middle attack can only occur if one of the following also occurs:
- The attacker is on your local network (open wireless network, for example);
- The attacker owns or operates the network infrastructure between the victim client and the listening server; or
- The attacker controls the DNS server used by your ISP, or can influence your choice of DNS server via DHCP responses if a client gets DNS settings via DHCP.
It cannot be stated that all Windows Vista and above systems were completely safe and not at risk after the issuance of Security Advisory 2607712
because they could have had a cached DigiNotar as a trusted root CA. Fortunately, the cached list is updated client-side every seven days. That makes the last date an attack targeting Internet Explorer users on Windows Vista and later platforms might possibly be successful is today, September 5.
As explained by Greg Keizer, Microsoft: Stolen SSL certs can't be used to install malware via Windows Update
According to Microsoft, the certificates issued for windowsupdate.com couldn't be used by attackers because the company no longer uses that domain. (Windows Update is now at windowsupdate.microsoft.com..) However, those for update.microsoft.com -- the domain for Microsoft Update -- and the wildcard *.microsoft.com could be.
As Ness said, updates delivered via Microsoft's services are signed with a separate certificate that's closely held by the company.
Without that code-signing certificate, attempts to deliver malware disguised as an update to a Windows PC would fail.