[German]Microsoft currently fails to deliver updates in a secure way. In a Security by obscurity style, Microsoft offers update downloads via insecure http protocol. This also applies to downloads from the Microsoft Update Catalog. And Microsoft Update Catalog strikes, if it is called from the wrong URL.
Update download via HTTP?
Security researcher Stefan Kanthak has informed me 2 days ago about a security issue with Microsoft’s update delivery. He wrote on February 14, 2018 within a private e-mail:
In your blog you unfortunately also use http: instead of https: not only for the Microsoft Update Catalog.
Do you check the SHA1 checksum of downloaded updates? Authenticode signature? Do you get the updates from there via http:, if a poehsewicht should block the “automatic updates”? Or by https:?
What’s the beef? Within my blog posts about Microsoft patchday updates, I include links to KB articles from the Microsoft documentation. Microsoft is still using some links to http pages. That wouldn’t be to bad.
But the story continues. If you visit KB4011715, the article about an Office updates is secured via https (that’s good). But on the web page, there is a direct download link for the update.
I have copied the link into the above screenshot. Just for the records: The kb article is retrieved from the website delivered via https. However, the download is offered via the unsecured http protocol.
[Addendum: Further tests, executed a few hours after initial post, shows, that a redirect to a https page has been estabilished in case of KB4011715 (and probably for other http download links). Can’t verify anymore whether this is new now. But Microsoft Update Catalog still deliver downloads via http.]
A man-in-the-middle could therefore manipulate the update. To make sure that the download is not manipulated, you have to check it afterwards. That’s what Stefan Kanthak suggests in his mail.
Tested: Windows accepts altered updates …
Within my German blog post, a reader did a simple test. He downloaded an update package via Microsoft Update Catalog. Then he used Notepad++ to edit some strings within the update package. The saved package is flagged ‘as modified’ on digital signature property page. But Windows accept this update and install it.
[Addendum: It seems that it matters, what’s changed within a .msu file. I guess, the .cab files within the update installer files are signed and causes an error, if altered – see this comment at Askwoody. ]
Added to seclist.org
Stefan Kanthak has posted this topic (just before our mail exchange) at seclists.org (Defense in depth — the Microsoft way (part 52): HTTP used to distribute (security) updates, not HTTPS).
yesterdays “Security update deployment information: February 13, 2018” <https://support.microsoft.com/en-us/help/20180213> links the following MSKB articles for the security updates of Microsoft’s Office products:
<https://support.microsoft.com/kb/4011715> <https://support.microsoft.com/kb/4011200> <https://support.microsoft.com/kb/3114874> <https://support.microsoft.com/kb/4011707> <https://support.microsoft.com/kb/4011711> <https://support.microsoft.com/kb/4011690> <https://support.microsoft.com/kb/4011697> <https://support.microsoft.com/kb/4011701> <https://support.microsoft.com/kb/3172459> <https://support.microsoft.com/kb/4011143> <https://support.microsoft.com/kb/4011686> <https://support.microsoft.com/kb/4011682> <https://support.microsoft.com/kb/4011680>
Alternatively use yesterdays “February 2018 updates for Microsoft Office” <https://support.microsoft.com/en-us/help/4077965> and all the MSKB articles linked there, which are a superset of those named above.
Each of these MSKB articles in turn contains one or two links to the download pages for the updates, which except 2 (of 22) are of the form <http://www.microsoft.com/downloads/details.aspx?familyid=GUID> (despite the HTTPS: used for the MSKB articles), ie. they use HTTP instead of HTTPS, inviting to MitM attacks, ALTHOUGH the server www.microsoft.com supports HTTPS and even redirects these requests to <https://www.microsoft.com/downloads/details.aspx?familyid=GUID>!
JFTR: this bad habit is of course present in ALMOST ALL MSKB articles for previous security updates for Microsoft’s Office products too … and Microsoft does NOT CARE A B^HSHIT about it!
Microsoft also links all the MSKB articles for their Windows security updates, for example <https://support.microsoft.com/kb/4074595>, in their “Security update deployment information: <month> <day>, <year>”.
Allmost all of these MSKB articles as well as those for Microsoft’s Office products (see above) in turn contain a link to Microsoft’s “Update Catalog”, which ALL are of the form
(despite the HTTPS: used for the MSKB articles), ie. they use HTTP instead of HTTPS, inviting to MitM attacks, ALTHOUGH the server catalog.update.microsoft.com [*] supports HTTPS!
JFTR: even if you browse the “Microsoft Update Catalog” via <https://www.catalog.update.microsoft.com/Home.aspx> [#], ALL download links published there use HTTP, not HTTPS!
That’s trustworthy computing … the Microsoft way! Despite numerous mails sent to <secure () microsoft com> in the last years, and numerous replies “we’ll forward this to the product groups”, nothing happens at all.
Addendum: At Askwoody is a post with links pointing to articles for further reading.
Microsoft Update Catalog broken
If you try to reach Microsoft’s Update Catalog, using the old address https://catalog.update.microsoft.com/ (still available in Microsoft’s kb articled), you will end with the following message.
I’ve had mentioned within my blog post Trouble reaching Microsoft Update Catalog. In the past, there was a redirection, but it seems that that doesn’t work at the momenent. To reach the Update Catalog, use
instead of the old address:
Perhaps it’s helpful for you.