The Microsoft Replace Catalog makes use of insecure HTTP hyperlinks – now not HTTPS hyperlinks – at the obtain buttons, so patches you obtain from the Replace Catalog are topic to the entire safety issues that canine HTTP hyperlinks, together with man-in-the-middle assaults.
Safety researcher Stefan Kanthak, writing on Seclist’s Bugtraq mailing listing, elaborates:
Despite the fact that you browse the “Microsoft Replace Catalog” by the use of the HTTPS hyperlink, ALL obtain hyperlinks revealed there use HTTP, now not HTTPS!
That is faithful computing … the Microsoft method!
In spite of a large number of mails despatched to <protected () microsoft com> within the closing years, and a large number of replies “we’re going to ahead this to the product teams,” not anything occurs in any respect.
I didn’t imagine it till I noticed it myself — and you’ll see it, too. Head over to the Microsoft Replace Catalog. For instance, click on in this (HTTPS) hyperlink to take a look at this month’s Win10 1709 cumulative replace KB 4087256.
At the correct, click on on any of the Obtain buttons. You spot the Obtain pane proven within the screenshot. Now right-click at the obtain hyperlink and make a selection Replica Hyperlink Location.
Right here’s what you get:
This is, no doubt, an insecure HTTP hyperlink.
Now turn over to the KB 4087256 article and scroll right down to the section that claims you’ll get the patch should you pass to the Microsoft Replace Catalog website online. Proper-click on that hyperlink and you’ll see that the hyperlink issues to:
That is an insecure (HTTP) access level to the Home windows Replace Catalog – from which you’ll get an insecure (HTTP) hyperlink in your replace. Kinda makes you are feeling heat and HTTPSfuzzy, no?
There is also some hyperlinks within the Microsoft Replace Catalog that don’t use HTTP for a obtain hyperlink, however I haven’t ran into any but.
Beginning in July, Google’s going to begin marking HTTP websites as “now not protected.” Possibly it’s time for Microsoft to get with the machine on their very own blasted safety downloads. Ya suppose?
Really feel a Friday kvetch approaching? Sign up for us at the AskWoody Front room.