The Microsoft Update Catalog uses insecure HTTP links – not HTTPS links – on the download buttons, so patches you download from the Update Catalog are subject to all of the security problems that dog HTTP links, including man-in-the-middle attacks.

Security researcher Stefan Kanthak, writing on Seclist’s Bugtraq mailing list, elaborates:

Even if you browse the "Microsoft Update Catalog" via the HTTPS link, ALL download links published there use HTTP, not HTTPS! That's trustworthy computing ... the Microsoft way! Despite numerous mails sent to <secure () microsoft com> in the last years, and numerous replies "we'll forward this to the product groups," nothing happens at all.

I didn’t believe it until I saw it myself -- and you can see it, too. Head over to the Microsoft Update Catalog. For example, click on this (HTTPS) link to look at this month’s Win10 1709 cumulative update KB 4087256.

Woody Leonhard The Microsoft Update Catalog uses insecure HTTP links to offer up patches.

On the right, click on any of the Download buttons. You see the Download pane shown in the screenshot. Now right-click on the download link and choose Copy Link Location.

Here’s what you get:

http://download.windowsupdate.com/c/msdownload/update/software/crup/2018/02/

windows10.0-kb4087256-x64_fb4795084fa7be6b33d5e05f442dfddb7f41c4d1.msu

That is, without doubt, an insecure HTTP link.

Now flip over to the KB 4087256 article and scroll down to the part that says you can get the patch if you go to the Microsoft Update Catalog website. Right-click on that link and you can see that the link points to:

http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4074588

That's an insecure (HTTP) entry point to the Windows Update Catalog – from which you can get an insecure (HTTP) link to your update. Kinda makes you feel warm and HTTPSfuzzy, no?

There may be some links in the Microsoft Update Catalog that don’t use HTTP for a download link, but I haven’t bumped into any yet.

Günter Born calls it “security by obscurity.” I can think of some less-polite descriptions.

Starting in July, Google’s going to start marking HTTP sites as “not secure.” Maybe it’s time for Microsoft to get with the system on their own blasted security downloads. Ya think?

Feel a Friday kvetch coming on? Join us on the AskWoody Lounge.