{"id":11514,"date":"2018-02-16T10:30:02","date_gmt":"2018-02-16T18:30:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/16\/news-5285\/"},"modified":"2018-02-16T10:30:02","modified_gmt":"2018-02-16T18:30:02","slug":"news-5285","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/02\/16\/news-5285\/","title":{"rendered":"Microsoft is distributing security patches through insecure HTTP links"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 16 Feb 2018 09:12:00 -0800<\/strong><\/p>\n

The Microsoft Update Catalog uses insecure HTTP links \u2013 not HTTPS links \u2013 on the download buttons, so patches you download from the Update Catalog are subject to all of the security problems that dog HTTP links, including man-in-the-middle attacks.<\/p>\n

Security researcher Stefan Kanthak, writing on Seclist\u2019s Bugtraq mailing list<\/a>, elaborates:<\/p>\n

Even if you browse the “Microsoft Update Catalog” via the HTTPS link, \u00a0ALL download links published there use HTTP, not HTTPS!<\/p>\n

That’s trustworthy computing … the Microsoft way!<\/p>\n

Despite numerous mails sent to <secure () microsoft com> in the last years, and numerous replies “we’ll forward this to the product groups,” nothing happens at all.<\/p>\n

I didn\u2019t believe it until I saw it myself — and you can see it, too. Head over to the Microsoft Update Catalog. For example, click on this (HTTPS) link <\/a>to look at this month\u2019s Win10 1709 cumulative update KB 4087256.<\/p>\n

The Microsoft Update Catalog uses insecure HTTP links to offer up patches.<\/span><\/p>\n

On the right, click on any of the Download buttons. You see the Download pane shown in the screenshot. Now right-click on the download link and choose Copy Link Location.<\/p>\n

Here\u2019s what you get:\u00a0<\/p>\n

http:\/\/download.windowsupdate.com\/c\/msdownload\/update\/software\/crup\/2018\/02\/
windows10.0-kb4087256-x64_fb4795084fa7be6b33d5e05f442dfddb7f41c4d1.msu<\/em><\/p>\n

That is, without doubt, an insecure HTTP link.<\/p>\n

Now flip over to the KB 4087256 article<\/a> and scroll down to the part that says you can get the patch if you go to the Microsoft Update Catalog website. Right-click on that link and you can see that the link points to:<\/p>\n

http:\/\/catalog.update.microsoft.com\/v7\/site\/Search.aspx?q=KB4074588<\/em><\/p>\n

That’s an insecure (HTTP) entry point to the Windows Update Catalog \u2013 from which you can get an insecure (HTTP) link to your update. Kinda makes you feel warm and HTTPSfuzzy, no?<\/p>\n

There may be some links in the Microsoft Update Catalog that don\u2019t use HTTP for a download link, but I haven\u2019t bumped into any yet.<\/p>\n

G\u00fcnter Born calls it<\/a> \u201csecurity by obscurity.\u201d I can think of some less-polite descriptions.<\/p>\n

Starting in July, Google\u2019s going to start marking HTTP sites<\/a> as \u201cnot secure.\u201d Maybe it\u2019s time for Microsoft to get with the system on their own blasted security downloads. Ya think?<\/p>\n

Feel a Friday kvetch coming on? Join us on the <\/i>AskWoody Lounge<\/i><\/a>.<\/i><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 16 Feb 2018 09:12:00 -0800<\/strong><\/p>\n

\n
\n

The Microsoft Update Catalog uses insecure HTTP links \u2013 not HTTPS links \u2013 on the download buttons, so patches you download from the Update Catalog are subject to all of the security problems that dog HTTP links, including man-in-the-middle attacks.<\/p>\n

Security researcher Stefan Kanthak, writing on Seclist\u2019s Bugtraq mailing list<\/a>, elaborates:<\/p>\n

\n

Even if you browse the “Microsoft Update Catalog” via the HTTPS link, \u00a0ALL download links published there use HTTP, not HTTPS!<\/p>\n

That’s trustworthy computing … the Microsoft way!<\/p>\n

Despite numerous mails sent to <secure () microsoft com> in the last years, and numerous replies “we’ll forward this to the product groups,” nothing happens at all.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10761],"class_list":["post-11514","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows-10"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11514","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11514"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11514\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11514"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}