If a virus replaces the root Netscape certificate with a
phony one, it can trick you into believing a fake certificate
is valid. But that replacement certificate can't verify any
real certificates, so you'll also believe that every real
certificate is invalid. (Hopefully, you'll notice this.) But
it works well with Microsoft's Authenticode. Microsoft had the
foresight to include two root-level Authenticode certificates,
presumably for if one ever gets compromised. But the software
is designed to authenticate code if even one checks out. So a
virus can replace the Authenticode spare certificate. Now
rogue software signed with this rogue certificate verifies
as valid, and real software signed by valid Microsoft-approved
companies still checks out as valid.
See also his own follow-up to his own post:
Who could be the casualties?
It would be rather exigent to cover all casualties, however the most
affected ones would be large organizations, governments, banks, companies,
virtual private networks, e-commerce applications, followed
by everyone using Windows on the World Wide Web, as they can not be even
slightly sure of JAVA applets, plugins and ActiveX controls.
Looking at these loopholes the use of these products would be highly
lethal from the security point of view. Services like RAS, IIS, ODBC,
VPN that depend on the Microsoft Cryptography API would also be no less
SSL, S/MIME and certificates in electronic commerce on these Windows
platforms represent a vulnerability to both financial establishments and
users of the Internet Explorer browser until these defect are treated.