Flame malware used man-in-the-middle attack against Windows Update
spread the Flame malware from machine to machine.
Flame-infected computers can be instructed to impersonate a Web Proxy Autodiscovery Protocol (WPAD) server. Windows machines set for automatic proxy detection (the default) will try to contact a server called wpad.(company domain name) to check for instructions for when to use a HTTP proxy.
Flame would tell machines on the network that the infected computer was to be used for proxying requests to Microsoft’s Windows Update service. Ordinarily this would not work, as Microsoft signs updates with their special digital certificates to ensure you only receive updates that are tamper proof.
For more information click here