It doesn't matter what Microsoft uses to sign their binaries, they're not the ones the signature scheme is defending against.
What matters is whether or not the attacker can find an application accepts an MD5 signature and target it.
This is not a problem that can be solved by the CAs, though they can certainly stand in the way of the solution (by continuing to issue MD5 certs). The real problem is that a signature by definition is expected to be valid more or less forever. Even if the cert used to sign it expires, the signature is generally still valid.
It's a collision attack. Therefore, there must be a still-valid cert that was used to sign something (presumably) legitimate with a signature based on an MD5 hash.
I think what you said is correct... until an attacker figures out a way to violate it by changing some subtle assumption.
For example, before Dec 2008 it was generally believed that a cert signature forgery would require a second preimage attack. Then Stevens et al. proved that under the right circumstances it could be done using collisions only.
Say, did you know some x509 PKI entities keep the same keypair going indefinitely by reusing the same one every time they renew?
