Home / Tech News / Microsoft is distributing security patches through insecure HTTP links

Microsoft is distributing security patches through insecure HTTP links

The Microsoft Replace Catalog makes use of insecure HTTP hyperlinks – now not HTTPS hyperlinks – at the obtain buttons, so patches you obtain from the Replace Catalog are topic to the entire safety issues that canine HTTP hyperlinks, together with man-in-the-middle assaults.

Safety researcher Stefan Kanthak, writing on Seclist’s Bugtraq mailing listing, elaborates:

Despite the fact that you browse the “Microsoft Replace Catalog” by the use of the HTTPS hyperlink,  ALL obtain hyperlinks revealed there use HTTP, now not HTTPS!

That is faithful computing … the Microsoft method!

In spite of a large number of mails despatched to <protected () microsoft com> within the closing years, and a large number of replies “we’re going to ahead this to the product teams,” not anything occurs in any respect.

I didn’t imagine it till I noticed it myself — and you’ll see it, too. Head over to the Microsoft Replace Catalog. For instance, click on in this (HTTPS) hyperlink to take a look at this month’s Win10 1709 cumulative replace KB 4087256.

update catalog download for Windows 10 1709Woody Leonhard

The Microsoft Replace Catalog makes use of insecure HTTP hyperlinks to supply up patches.

At the correct, click on on any of the Obtain buttons. You spot the Obtain pane proven within the screenshot. Now right-click at the obtain hyperlink and make a selection Replica Hyperlink Location.

Right here’s what you get: 

https://obtain.windowsupdate.com/c/msdownload/replace/device/crup/2018/02/
home windows10.Zero-kb4087256-x64_fb4795084fa7be6b33d5e05f442dfddb7f41c4d1.msu

This is, no doubt, an insecure HTTP hyperlink.

Now turn over to the KB 4087256 article and scroll right down to the section that claims you’ll get the patch should you pass to the Microsoft Replace Catalog website online. Proper-click on that hyperlink and you’ll see that the hyperlink issues to:

https://catalog.replace.microsoft.com/v7/website/Seek.aspx?q=KB4074588

That is an insecure (HTTP) access level to the Home windows Replace Catalog – from which you’ll get an insecure (HTTP) hyperlink in your replace. Kinda makes you are feeling heat and HTTPSfuzzy, no?

There is also some hyperlinks within the Microsoft Replace Catalog that don’t use HTTP for a obtain hyperlink, however I haven’t ran into any but.

Günter Born calls it “safety via obscurity.” I will suppose of a few less-polite descriptions.

Beginning in July, Google’s going to begin marking HTTP websites as “now not protected.” Possibly it’s time for Microsoft to get with the machine on their very own blasted safety downloads. Ya suppose?

Really feel a Friday kvetch approaching? Sign up for us at the AskWoody Front room.

About Smuneebarif

Check Also

1532181620 marvel powers united vr 101 every hero villain and location revealed 310x165 - Marvel: Powers United VR 101 — every hero, villain, and location revealed

Marvel: Powers United VR 101 — every hero, villain, and location revealed

Ever sought after to be a superhero? Higher but, how a few Surprise superhero? With …

Leave a Reply

Your email address will not be published. Required fields are marked *