Software Apps

Microsoft is distributing security patches through insecure HTTP links

The Microsoft Update Catalog uses insecure HTTP links – not HTTPS links – on the download buttons, so patches you download from the Update Catalog are subject to all of the security problems that dog HTTP links, including man-in-the-middle attacks.

Security researcher Stefan Kanthak, writing on Seclist’s Bugtraq mailing list, elaborates:

Even if you browse the “Microsoft Update Catalog” via the HTTPS link,  ALL download links published there use HTTP, not HTTPS!

That’s trustworthy computing … the Microsoft way!

Despite numerous mails sent to <secure () microsoft com> in the last years, and numerous repli…
Computerworld Operating Systems

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.