All Those Patch Tuesday Security Updates? You’re Downloading Them Through Insecure HTTP Links – Microsoft Assures “Protections in Place”
- Microsoft has been delivering its security patches through insecure HTTP links since the Update Catalog apparently still uses the insecure links. This means that whenever you download something directly from the company's Update Catalog, it could be potentially vulnerable to man-in-the-middle attacks, among other security issues. The problem was highlighted by the security researcher, Stefan Kanthak, who recently claimed that Microsoft was unable to address a bug in Skype due to a "large code revision”. The company later clarified that the bug was fixed back in October.
Researcher: Sticking to HTTP Is "Trustworthy Computing... the Microsoft Way!"
In his current report, Kanthak writes that even if the advisory and changelogs are published under HTTPS, the actual downloads are published using HTTP.
even if you browse the "Microsoft Update Catalog" via
ALL download links published there use HTTP, not HTTPS!
this bad habit is of course present in ALMOST ALL MSKB articles
for previous security updates for Microsoft's Office products
too ... and Microsoft does NOT CARE A B^HSHIT about it!
That's trustworthy computing ... the Microsoft way!
Despite numerous mails sent to <secure () microsoft com> in the last years,
and numerous replies "we'll forward this to the product groups", nothing
happens at all.
When we contacted Microsoft about Kanthak's latest report, a Microsoft spokesperson said in an email to Wccftech that the company has "protections in place to ensure updates are validated prior to installation”.
Well, that's all good. But it remains unclear what exactly these protections are. After years of all the big companies pushing users to take HTTPS at face value, it isn't surprising that Microsoft's decision will only annoy security experts and potentially make end users believe they are downloading something unsafe. For what it's worth, the security researcher also hasn't (at least) publicly shared any proof of concept that demonstrates a vulnerability.
It should be noted that Google will start marking all HTTP sites as not secure later this year. We have asked the company if it's considering making the switch to secure connections by then, otherwise Microsoft is just adding confusion to the entire update-to-https episode that is being driven by all the major tech firms. Looking at how the company has reportedly updated February Patch Tuesday's download files to HTTPS after this report, hopefully a complete switch will also be implemented in the near future.