Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft is distributing security patches through insecure HTTP links


  • Please log in to reply
8 replies to this topic

#1 JohnC_21

JohnC_21

  • Members
  • 24,849 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 21 February 2018 - 01:31 PM

The Microsoft Update Catalog uses insecure HTTP links – not HTTPS links – on the download buttons, so patches you download from the Update Catalog are subject to all of the security problems that dog HTTP links, including man-in-the-middle attacks.

 

https://www.computerworld.com/article/3256304/microsoft-windows/microsoft-is-distributing-security-patches-through-insecure-http-links.html



BC AdBot (Login to Remove)

 


#2 jarlmaster47

jarlmaster47

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 21 February 2018 - 02:22 PM

I'm simultaneously surprised and not surprised. I'm not surprised in that big companies do some of THE stupidest things. I'm surprised in the sense that this is asking for trouble Microsoft doesn't want. And my main issue is that, and correct me if I'm wrong, switching to HTTPS requires no effort. 



#3 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,192 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:06:43 AM

Posted 21 February 2018 - 02:26 PM

Don't think this is a big problem because the updates provided as exe files or the newer .msu files are signed by Microsoft, windows will not accept to install any updates not signed by Microsoft.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#4 isaccasi

isaccasi

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:zealand denmark
  • Local time:07:43 AM

Posted 21 February 2018 - 03:51 PM

Hello, I am not a techie at all but I think it sounds disturbing :bounce:



#5 VBCONZ

VBCONZ

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 23 February 2018 - 02:37 AM

To sign you need certificates. If the links to get certificates are http as well then a MITM attack is also possible i would have thought.



#6 DavidLMO

DavidLMO

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 23 February 2018 - 03:22 PM

Garbage such as this is why I use HTTPS Everywhere extension.



#7 rp88

rp88

  • Members
  • 3,082 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:43 AM

Posted 24 February 2018 - 05:15 PM

I have to download MS updates through the browser from the catalog website, since I avoid feature ones and just do security fixes, I always check the signatures in the relevant tab of window's "properties" windows of the file browser. And I upload copies to virustotal as well to let them check signatures to. Should these actions generally mean any man in the middle trying to supply a fake update will not be able to match the signatures and/or pass virustotal's checks?
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 26 February 2018 - 01:02 PM

Yes, if the files you download are tampered with, then the signatures will no longer be valid.

When you check signatures, you still have to make sure that it is signed by Microsoft though. I guess it's unlikely in your case, but an attacker could substitute files signed with a certificate he obtained.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Kellysi

Kellysi

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:43 PM

Posted 28 February 2018 - 04:01 AM

That is all creepy. I agree that some companies are negligent but I think that Microsoft with all of its security and departments still knows what they're doing. Then again I hope. I dont think it should be imagined what would happen if someone was an attacker with a certificate obtained from Microsoft. That said, that would create a major digital bomb. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users