"What we found is that certificates issued by our Terminal Services licensing certification authority, which are intended to only be used for license server verification, could also be used to sign code as Microsoft. Specifically, when an enterprise customer requests a Terminal Services activation license, the certificate issued by Microsoft in response to the request allows code signing without accessing Microsoft’s internal PKI infrastructure."
In short, a spectacular security fuck-up. Their phone-home DRM is also a valid signing key whose trust chain goes all the way back up to the default-trusted Microsoft certificate .. oh darn! They are now doing a full-court press claiming the signing certificate was "un-authorized". D'oh. They left the keys in the door lock.
On a related note ... as long rumored, Stuxnet was a joint US/Israeli effort. It is no co-incidence that severe malware findings come from non-US researchers.