Microsoft is distributing security patches through insecure HTTP links


Stefan Kanthak, reporting on the Bugtraq mailing list, shows how Microsoft’s own security patch download links are based on HTTP, not HTTPS.

The Microsoft Update Catalog uses insecure HTTP links – not HTTPS links – on the download buttons, so patches you download from the Update Catalog are subject to all of the security problems that dog HTTP links, including man-in-the-middle attacks.

Security researcher Stefan Kanthak, writing on Seclist’s Bugtraq mailing list, elaborates:

Even if you browse the "Microsoft Update Catalog" via the HTTPS link, ALL download links published there use HTTP, not HTTPS!
That's trustworthy computing ... the Microsoft way!

Despite numerous mails sent to in the last years, and numerous replies "we'll forward this to the product groups," nothing happens at all.

Prease to read more here:

Never argue with a pig. It makes you look foolish and it anoys the hell out of the pig!

sponsored links