You've Been Downloading Microsoft's Security Updates from Insecure HTTP Links

  • Twitter
  • Facebook
  • Google+
  • Pinterest
  • Microsoft is delivering its security patches through insecure HTTP links considering that the Update Catalog apparently still uses the insecure links. Consequently while you download something completely the company’s Update Catalog, perhaps it is potentially at risk from man-in-the-middle attacks, among other security issues. The challenge was highlighted via the security researcher,?Stefan Kanthak, who recently claimed that Microsoft was incapable of address a bug in Skype caused by a “large code revision\”. The provider later clarified how the bug was fixed in October.

Researcher: Staying on HTTP Is “Trustworthy Computing… the Microsoft Way!”

In his current report, Kanthak writes that the way in which advisory and changelogs are published under HTTPS, the particular downloads are published using HTTP.

even in the event you look at the “Microsoft Update Catalog” via
<https://www.catalog.update.microsoft.com/Home.aspx> [#],
ALL download links published there use HTTP, not HTTPS!

this bad habit is of course obtained in Virtually all MSKB articles
for previous security updates for Microsoft’s Office products
too … and Microsoft is not going to CARE A B^HSHIT about it!

That’s trustworthy computing … the Microsoft way!

Despite numerous mails deliver to <secure () microsoft com> in the past years,
and diverse replies “we’ll forward this for the product groups”, nothing
happens in anyway.

When we contacted Microsoft about Kanthak’s latest report, a Microsoft spokesperson said in the email to Wccftech which the company has?“protections ready to make sure updates are validated previous to installation\”.

Well, that’s all good. Nonetheless it remains unclear just what exactly these protections are. After years of all of the big companies pushing users for taking HTTPS at face value, it isn’t surprising that Microsoft’s decision will only annoy security experts and potentially make prospects believe they may be downloading something unsafe. For that which it’s worth, the security researcher also hasn’t (at least) publicly shared any evidence concept demonstrates a vulnerability.

It need to be noted that Google will become marking all HTTP sites as?not secure?later this current year. We\’ve asked the business if it’s considering making the switch to secure connections right at that moment, otherwise Microsoft is probably adding confusion towards entire update-to-https episode that could be being driven by most of the tech firms. Taking a look at the company has reportedly updated February Patch Tuesday’s download files to HTTPS following this report, hopefully a complete switch can also be implemented sooner.

Leave a Reply

Your email address will not be published.
Required fields are marked *