Microsoft using insecure HTTP links to distribute security patches through the Update Catalog

Topic

New Reply

I didn’t believe it until I saw it. And you can, too. Post coming in Computerworld. Thx, Stefan Kanthak, Günter Born
[See the full post at: Microsoft using insecure HTTP links to distribute security patches through the Update Catalog]

6 users thanked author for this post.

Elly, HiFlyer, JDeC, WildBill, AJNorth, Tiernan

Reply | Quote

Replies

Holy c***, so they are. I just checked myself. Example below

http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/01/outlookintl-cs-cz_c5241abd0aa5626747a7b57684a5743a68529608.cab

Rgds, Zeus

Reply | Quote

Prefixing HTTPS to the URL results in a invalid certificate warning using Waterfox.

2 users thanked author for this post.

HiFlyer, woody

Reply | Quote

It seems like MS is just stumbling from one disaster to another.

My daughter really likes her new pixelbook, but for myself I find the screen too small and I’ve never been a big fan of laptop keyboards and touchpads. It still is a very nice laptop that oozes high quality and I believe will get a fair number of buyers.

Looks like ASUS is brnging out a new chromebox some time this year

https://www.androidheadlines.com/2018/01/hands-on-with-the-new-asus-chromebox-3-ces-2018.html

Looks interesting and could be a serious option for myself. Just hoping I get a Meltdown patch soon for my Win7-32 machine and then I could wait for the new chromebox. If not and real world exploits start showing up I might have to look at an Apple product.

Reply | Quote

I’m curious what the point is in this kerfuffle, other than it’s not a great idea (which is par for the course with MS).
Short of a MITM attack/circumvention, what exactly is the paranoia over?
I don’t recall seeing mass hysteria over sites using FTP instead of SFTP, so why exactly is using HTTP instead of HTTPS any different?

1 user thanked author for this post.

abbodi86

Reply | Quote

Phishing? Fake, Trojan “updates” bearing viruses, worms?

Maybe the PC has to be already compromised by a preliminary infestation with malware opening the way to the one in the HTTP address?

How much of a protection really is HTTPS these days?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I’m not disagreeing that there can be issues, but in the context of this and whether or not it will cause users issues, the odds are (and I’d say they’re favorable odds) are that it won’t.

Riddle me this: what prototypical uneducated PC owner/user is downloading Windows Updates piecemeal from somewhere other than Windows Update?

The answer of course is “no one”. Anyone capable of downloading updates from the Microsoft Catalog is going to be a novice techie (at worst). Such a person is not going to be easily fooled by any of the potential issues that you listed.

This seems very much like a clickbait article to me. Mission accomplished, I guess.

1 user thanked author for this post.

abbodi86

Reply | Quote

It’s easy for me to imagine being attached to a network (or accessing the Catalog from a country) where MitM attacks are straightforward — and very hard to detect.

5 users thanked author for this post.

Elly, gborn, HiFlyer, AJNorth

Reply | Quote

HTTP connections are vulnerable to MTM attacks and I would think someone who is trying one might find Windows updates via HTTP an interesting way to try one.

HTTPS connections are encrypted and rely on a handshake between the browser and server. Once established MTM attacks become almost impossible if the proper protocols are used. About the only reliable to attack an HTTPS connection is to fool the user into initially connecting to a rogue site; more of a social engineering problem than a technical one.

Reply | Quote

A few more details may be read within my blog post Microsoft delivers updates via HTTP & more security obscurity

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

5 users thanked author for this post.

Elly, BobbyB, WildBill, AJNorth, woody

Reply | Quote

Microsoft Update Catalog is not broken

catalog.update.microsoft.com is the IE-activex front-end
http://www.catalog.update.microsoft.com is the non-activex front-end (for IE and other browsers)

2 users thanked author for this post.

AJNorth, woody

Reply | Quote

Wah-hay! Does that mean that we put ourselves at risk of viral infection merely by downloading updates from the Catalog? Any more for Group W?

Reply | Quote

I guess, the risk for private user is minimal. But it’s probably an attack vector, that should be discussed at least.

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

1 user thanked author for this post.

HiFlyer

Reply | Quote

I’m in Group L – Linux Mint!

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

2 users thanked author for this post.

Cybertooth, lurks about

Reply | Quote

Sorry, buddy, but Group L ™ has been taken!

And it’s more a kind of attitude towards life than being OS related…

.

May I suggest Group M for Mint!

Reply | Quote

As far as I can tell, Windows Update has been doing the same thing for a long while now.

4 users thanked author for this post.

abbodi86, HiFlyer, gborn, woody

Reply | Quote

Where is this Mass Hysteria?

There is the expectation that a tech company would choose HTTPS for a website that is regularly accessed by their customers for downloads, especially MSIs. It has taken many people by surprise that Microsoft has chosen not to. You may recall that it was just a year ago that they had to remove Active X from this site.

in 2018, Google and Firefox are issuing ‘insecure’ notices for sites that are not HTTPS, whereas Edge and IE do not. Considering that the vast majority of users do not use Microsoft’s browsers, the HTTP designation for the MS Catalog site is a major inconvenience for MS users. This is an immature game that results in zero winners.

Reply | Quote

anonymous wrote:

in 2018, Google and Firefox are issuing ‘insecure’ notices for sites that are not HTTPS, whereas Edge and IE do not. Considering that the vast majority of users do not use Microsoft’s browsers, the HTTP designation for the MS Catalog site is a major inconvenience for MS users. This is an immature game that results in zero winners.

I’m using Firefox & haven’t gotten any ‘insecure’ notices for http sites… Yet. Maybe Firefox will start about the same time Chrome does later this year. Some people may call this clickbait & promoting hysteria, but Woody & others are right; a popular http patch could be hacked & Who Would Know? Methinks Google will be doing this to troll Microsoft; still, not best practices at work in Redmond, IMO.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

Isn’t that an oxymoron?

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

If anyone is curious if using Windows Update itself is secure, here are some links:

Are Windows Updates susceptible to tampering, eg. using a MiTM attack

Windows Update – Interception

 

There have been Windows updates that address the security of using Windows Update:

Researchers reveal how Flame fakes Windows Update

Unauthorized digital certificates could allow spoofing

 

6 users thanked author for this post.

walker, Elly, GoneToPlaid, AJNorth, woody, geekdom

Reply | Quote

In response to the Flame malware, Microsoft also did this: From Update to Windows Update, WSUS Coming This Week (2012): “Our hardening introduces two defense-in-depth changes.  First, we have further hardened the Windows Update infrastructure so that the Windows Update client will only trust files signed by a new certificate that is used solely to protect updates to the Windows Update client. Second, we are strengthening the communication channel used by Windows Update in a similar way.”

3 users thanked author for this post.

walker, abbodi86, geekdom

Reply | Quote

Woody’s article: Microsoft is distributing security patches through insecure HTTP links.

3 users thanked author for this post.

walker, AJNorth, woody

Reply | Quote

6 users thanked author for this post.

Elly, BobbyB, OscarCP, WildBill, grayslady, Cybertooth

Reply | Quote

This doesn’t seem like a problem to me.  All the updates have to be signed by Microsoft.  It doesn’t matter how they are downloaded.  It is completely beside the point.  An unsigned or tampered file won’t work.

2 users thanked author for this post.

abbodi86, MrBrian

Reply | Quote

Agreed, and also with the click bait comment above.

Since all Microsoft updates are signed, they are tamper-proof and thus secure regardless of whether the transport is secure. What additional benefit would using HTTPS offer? Absolutely nothing, it would just waste CPU performance.

WSUS also requires both HTTP and HTTPS ports, this is well documented:
“WSUS also uses SSL to encrypt metadata passed between clients and downstream WSUS servers. Note that WSUS only uses SSL for metadata. This is also the way Microsoft Update distributes updates.
As discussed earlier in this guide, updates consist of two parts: metadata that describes what an update is useful for, and the files to install the update on a computer. Microsoft mitigates the risk of sending update files over an unencrypted channel by signing each update. In addition to signing each update, a hash is computed and sent with the metadata for each update. When an update is downloaded, WSUS checks the digital signature and hash. If the update has been tampered with, it is not installed.”

Edit to remove HTML
Please convert to plain text (.txt) before cut/paste

2 users thanked author for this post.

abbodi86, MrBrian

Reply | Quote

From New Paper Released: WSUSpect – Compromising the Windows Enterprise via Windows Update (2015):

“Today, we released a paper titled ‘WSUSpect – Compromising the Windows Enterprise via Windows Update’ which accompanies the talk presented by two of our senior researchers at Black Hat USA 2015.

The presentation demonstrates how Windows Update can be abused for internal attacks on corporate networks by exploiting insecurely configured enterprise implementations of Windows Server Update Services (WSUS).”

4 users thanked author for this post.

Elly, OscarCP, woody, AJNorth

Reply | Quote

That is on Enterprise; would this proof of vulnerability have, as a corollary, that it is also true, across the board, for all extant versions of Windows X (with X= 7, or 8, or 8.1, or 10)?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

That is on Enterprise; would this proof of vulnerability have, as a corollary, that it is also true, across the board, for all extant versions of Windows X (with X= 7, or 8, or 8.1, or 10)?

I’m not sure, but here is another related work: WSUSpendu. English version of this paper (pdf): https://www.blackhat.com/docs/us-17/wednesday/us-17-Coltel-WSUSpendu-Use-WSUS-To-Hang-Its-Clients-wp.pdf.

Reply | Quote

Since all Microsoft updates are signed, they are tamper-proof and thus secure regardless of whether the transport is secure.

That was my first thought. But did you read my addendum here?

Tested: Windows accepts altered updates …

Within my German blog post, a reader did a simple test. He downloaded an update package via Microsoft Update Catalog. Then he used Notepad++ to edit some strings within the update package. The saved package is flagged ‘as modified’ on digital signature property page. But Windows accept this update and install it.

I guess (haven’t tested it), the digitale signatur proof check will be executed for .cabs included. The post from Mr. Brian below indicates, that some parts are checked and others not.

So: Overall I guess, it’s a ‘non optimal’ solution, Microsoft decides to use (nicely spoken). Well, we can discuss about http versus https. But then explain, why they offer kb articles via https, while downloads from http download links are redirected to https pages – and Update Catalog downloads still shipped via http.

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

3 users thanked author for this post.

Cascadian, Cybertooth, woody

Reply | Quote

Why?

A reason might be that it takes computer power to encrypt large blocks of data. That translates to money when running a network that’s tasked with delivering an unprecedented amount of data. Let’s not forget, with concepts like “cumulative” and “6 month major release cycles” dawning, updates are working out to hundreds of megabytes to gigabytes apiece. We’re all becoming numb to mega/giga/tera but it’s an unprecedented large network and server load – by a lot.

Many folks have more computer power than they need, and they might prefer an https: connection vs. http: on general principles but it comes at a price, however intangible.

And lo and behold right when content delivery networks could use more capacity, now servers are becoming less efficient than ever, with their mitigations for newly “discovered” vulnerabilities going in.

Why invite / create problems on purpose? It’s not hard to imagine there are those who benefit from people throwing money at their problems.

But even if it’s not planned, insecure computing and networking are where we came from. The only thing people thought https: was good for just a few scant years ago was specific important transactions. Who worried about such things as “Man In The Middle” attacks when it seemed ridiculously expensive/difficult to do, and backups were smaller and easier to restore? Now the data we use to manage our lives is becoming huge, and more valuable than ever – and the bad guys share their software via the same web…

-Noel

1 user thanked author for this post.

ch100

Reply | Quote

As a test, I altered a downloaded .msu file with a hex editor, and then attempted to install it. The install was aborted with error “Installer encountered an error: 0x8007000d   The data is invalid.”

5 users thanked author for this post.

AlexEiffel, OscarCP, woody, AJNorth, Cascadian

Reply | Quote

See my addendum one post above. It seeems that you altered a cab file.

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

4 users thanked author for this post.

AlexEiffel, Cascadian, MrBrian, woody

Reply | Quote

MSU files are special cabinet files signed with two certificates.

Reply | Quote

Just did a Google search for “Microsoft Update Catalog” using Chrome.

Clicked on the 1st site found, “Microsoft Update Catalog” (https://catalog.update.microsoft.com), get the following ‘web page’:

I made a shortcut a long time ago to the MS Update Catalog site using:

https://www.catalog.update.microsoft.com/home.aspx

and it works fine, brings up the non-ActiveX web site in IE 11 or Chrome. (more on that in a following post)

3 users thanked author for this post.

AlphaCharlie, HiFlyer, AJNorth

Reply | Quote

@”anonymous’ in post # 167872:

Then did a Google search for “Microsoft update catalog” in IE 11 (brings up the same results as in Chrome).

Click on the 1st result “Microsoft Update Catalog” and get the following web site:

The URL of the above web page is:

https://catalog.update.microsoft.com/v7/site/Install.aspx

So, there’s multiple ways to kind of get to the MS Update Catalog site, and at least one of them still wants to install ActiveX in IE 11.  Seems ActiveX is still alive on the above web page. I’ve never installed it, so use the ‘other’ way to get to the Update catalog site.

Very confusing.

 

2 users thanked author for this post.

BobbyB, AJNorth

Reply | Quote

http://www.wsusoffline.net

Reply | Quote

1) Microsoft Update Catalog: https://www.catalog.update.microsoft.com

All file download links at the above are served via HTTP, ever since the catalog was launched. If we manually switch the download link from HTTP to HTTPS, the download will fail. The browser would warn about an untrusted connection, with details such as “download.windowsupdate.com uses an invalid security certificate“.

2) Microsoft Download Center: https://download.windowsupdate.com

From what I noticed, numerous file download links posted since years ago at the above are randomly served via HTTP. That is, some download links are in HTTPS, but some are in HTTP. But we can manually switch the download link from HTTP to HTTPS, & still fetch the file.

As such, if Microsoft has any intention of making its file downloads more secure for users, it needs to not only fix portal (1), but also the random HTTP download links at portal (2).

1 user thanked author for this post.

GoneToPlaid

Reply | Quote

In the Computerworld article, it says: “Now flip over to the KB 4087256 article” but the link is https://support.microsoft.com/en-us/help/4074588

I guess that KB 4087256 is renamed to KB 4074588?

Reply | Quote

My bad. But the principle remains.

Reply | Quote

This sudden hysteria would more understandable if it was directed towards Windows Update, which have been and still and will continue to deliver all updates via HTTP
the MU catalog links are just a mirror of WU links

the sha1 hash appended to each file name will prevent any tampering
https://www.askwoody.com/forums/topic/ms-defcon-4-time-to-get-november-windows-and-office-patches-applied/#post-22192

even the new Windows 10 UUP and Delivery Optimization links are HTTP

with all due respect, HTTPS is overrated in this context

BTW, i pointed that long time ago, although not very clear
https://www.askwoody.com/forums/topic/ms-defcon-4-time-to-get-november-windows-and-office-patches-applied/#post-22239

6 users thanked author for this post.

walker, Cascadian, HiFlyer, ch100, MrBrian, woody

Reply | Quote

abbodi86 wrote:

Microsoft Update Catalog is not broken catalog.update.microsoft.com is the IE-activex front-end http://www.catalog.update.microsoft.com is the non-activex front-end (for IE and other browsers)

That’s what also some German users told me, but …

I mentioned it within my German comment – just try the two tests below.
http://www.catalog.update.microsoft.com
catalog.update.microsoft.com

The last link shows ‘Server negotiated HTTP/2 with blacklisted suite’ (btw also for IE 11 and Edge under Windows 10). I would say, it’s some misconfigured servers, probably.

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

3 users thanked author for this post.

ch100, woody, abbodi86

Reply | Quote

I received this email from Stefan Kanthak (whom I hope will join us here), slightly edited:

My point is NOT with Windows Update/Automatic Update, but with a MitM attacker who serves bogus updates. Yes, WU/AU will reject the altered updates. But an administrator who notices the WU/AU failure might be tempted to fetch the failed updates manually … and fall prey to a bogus one.

An especially trivial example is the Security Update for CAPICOM (KB931906) The EXE file is a properly signed but vulnerable executable (there are of course quite some more of this kind), which may be served by a MitM attacked instead of the requested update.

Executables are not fed to WUSA.exe, DISM.exe, CBS or the Windows Microsoft Installer which will check their signature and deny to process bogus updates. A double-click on this .EXE will come up with an UAC prompt which
says “I’m from Microsoft”. To go from there, look at my FD and BugTraq posts about IExpress or 931906 or CAPICOM on how to proceed.

Yes, this is an INDIRECT exploit; but it’s an exploit. And then there are updates which are NOT distributed through WU/AU, but only via Microsoft Update Catalog, for example KB3127754.

2 users thanked author for this post.

MrBrian, Elly

Reply | Quote

I don’t claim to be an expert at Windows Update internals, but here’s my concerned-layman’s take:

Both the “HTTPS should be there” and the “HTTP is good enough” factions have points in their favor. There doesn’t appear to be a direct attack vector the way things stand, but the potential is there for an unfortunate admin (or user) to shoot themselves in the foot.

I think MS should be moving to use HTTPS links exclusively for all of their security patches, even if there’s a performance hit. Not because there’s a known threat. But because the threat’s potentially very large — and the rewards potentially huge.

2 users thanked author for this post.

WildBill, GoneToPlaid

Reply | Quote

Raymond Chen discusses this category of ‘security hole’ frequently on his blog.

It goes “it rather consists of being on the other side of this airtight hatchway,” which is his way of saying that if your admin(or user) is such a clueless chap that he downloads and installs malware, THAT is your problem.  You can not claim a security defect when everything is working exactly as designed.

The default arrangement is that the downloaded executable is going to require UAC approval, and when it does, it will indicate the program is signed by XYZ or not signed.  If it doesn’t say Microsoft, you don’t run it!  Any steps beyond that are social engineering, and are not fixable by the software.  Microsoft issues these certificates, so they are presumably on the lookout for any attempts to fool people, and they can revoke certificates also.

2 users thanked author for this post.

MrBrian, abbodi86

Reply | Quote

Anon #168109 said:
The default arrangement is that the downloaded executable is going to require UAC approval, and when it does, it will indicate the program is signed by XYZ or not signed.  If it doesn’t say Microsoft, you don’t run it!

The above strategy is not foolproof. Even if the program is signed with a genuine Microsoft signature, it doesn’t necessarily imply that it is safe to run. Genuine software vendor digital signatures can be created from stolen private keys, such as in the following example.

https://www.symantec.com/connect/blogs/stux-be-you
21 Sep 2010
Back in July we saw the Stuxnet worm targeting industrial control systems. The Stuxnet authors stole the digital signatures of two Taiwanese chip makers and used them on the rootkit employed by the worm. Just how they were getting their hands on the private keys needed to steal the signatures remains a missing piece of the Stuxnet puzzle.

In order to digitally sign a binary, you must have a private key. If attackers can gain possession of the key they can steal the key owner’s signature; therefore, the owner of the private key should ensure that it remains private. Somehow, these private keys were stolen and used by the Stuxnet authors to sign the rootkit in order to ensure that it would be loaded by Windows Vista and Windows 7.

Obtaining a private key for a digital certificate may not be as difficult as one imagines. Infostealer.Nimkey is an example of a threat that steals PKCS#12 public key certificate files. PKCS#12 certificates are different from ordinary public key certificates—they can contain not only public keys but private keys, too.

And there are precedences for forged Microsoft certificates, such as the following incident:

Unauthentic “Microsoft Corporation” Certificates (22 Mar 2001)
https://www.cert.org/historical/advisories/CA-2001-04.cfm

On January 29 and 30, 2001, VeriSign, Inc. issued 2 certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates will appear to be legitimately signed by Microsoft when, in fact, it is not.

Although users who try to run code signed with these certificates will generally be presented with a warning dialog, there will not be any obvious reason to believe that the certificate is not authentic.

This issue presents a security risk because even a reasonably cautious user could be deceived into trusting the bogus certificates, since they appear to be from Microsoft. Once accepted, these certificates may allow an attacker to execute malicious code on the user’s system.

Competent blackhats can probably create their own certificate & label it “Microsoft” to deceive users who don’t go to the trouble of checking the certificate’s signature against the known Microsoft signature. And many (if not most) end-users do not have the habit, patience or know-how to conduct proper signature checks by cross-checking serial numbers & validity dates for every executable file.

1 user thanked author for this post.

WildBill

Reply | Quote

Woody, this in theory is accurate and well-known for many years.
But let’s take a more practical view here and also see Noel’s post for this.
A significant number of patches are released due to public hysteria in relation to this sort of vulnerabilities which have little practical relevance. For a limited number of organisations they are relevant though.
A man in the middle attack inside of an organisation require an attacker with elevated access inside of the organisation. As per the post, in this specific situation, it also require an unsuspecting administrator who would install cracked software manually bypassing the safeguards built into the software.
How secure is that organisation’s internal network in such a situation? Are there bigger problems there than the possibility of installing cracked updates?

Reply | Quote

“Executables are not fed to WUSA.exe, DISM.exe, CBS or the Windows Microsoft Installer which will check their signature and deny to process bogus updates.”

If the type of file downloaded from the Catalog is a .exe file, I believe that it’s safer to install the update via Windows Update (if available) than to download and install it manually, due to the additional Windows Update infrastructure changes that Microsoft introduced in 2012. Feedback on my assertion is welcome :).

Reply | Quote

Would one example of this is using WU to update .NET through the Rollups instead of downloading and installing the .exe files that some versions use?

Reply | Quote

Yes. If my assertion is correct, then for Windows 7 and 8.1 users, with only the issue in this topic used as criteria, then Group A is safer than Group B.

Reply | Quote

This is related info that might be worth its own topic: From OEM Updaters put PCs at risk (2016): “A study by Duo Security, Inc suggests that OEM Updaters, programs designed by PC manufacturers to update vendor-specific software, do more harm than good as they put PCs at risk.”

2 users thanked author for this post.

Cascadian, Elly

Reply | Quote

Manufacturers have struggled for a long time to find good that could be delivered from “the cloud”.

Hard looks at all cloud or network-contacting services are warranted.

Sure, with the cloud “sharing” is easy, getting a weather report is seamless, getting more software than you can possibly want is a given – yet amazingly along with that comes the increased probability of “being violated”.

It long been said that if you use Windows long enough, it will slow down more and more over time until it becomes unusable. That’s not an inherent issue with Windows or its registry or whatever. It’s because almost every software package almost invariably tries to install some extra helpful services or scheduled jobs – and I’m not even talking about big stuff like Adobe’s Creative Cloud which practically takes over your entire system with dozens of components. Run of the mill programs often want to install their services that will watch for updates, for example. Eliminate all that and lo and behold Windows can actually be run forever and maintain efficiency. I’ve done it.

I just looked at the first page of my Autoruns display, “Everything” tab, and much more stuff is unchecked than is checked (not to mention the amount of unchecked boxes in the Scheduled Tasks section).

-Noel

2 users thanked author for this post.

satrow, Cascadian

Reply | Quote

WHAHAHA the never ending story…… ??

* _ ... _ *

Reply | Quote

An interesting page on MSI malware has just been published on isc.scan.edu:

Malware Delivered via Windows Installer Files

Published: 2018-02-17
Last Updated: 2018-02-17 09:06:35 UTC
by Xavier Mertens (Version: 1)

For some days, I collected a few samples of malicious MSI files. MSI files are Windows installer files that users can execute to install software on a Microsoft Windows system. Of course, you can replace “software” with “malware”. MSI files look less suspicious and they could bypass simple filters based on file extensions like “(com|exe|dll|js|vbs|…)”. They also look less dangerous because they are Composite Document Files…

 
Read the full article here

4 users thanked author for this post.

walker, Elly, GoneToPlaid, satrow

Reply | Quote

Microsoft engineer extraordinaire Michael Niehaus sent me this synopsis privately. It’s reprinted here with permission:

The updates are Authenticode-signed and validated by the OS, so a man-in-the-middle attack is impossible – any tampering done to the payload will be detected by the OS, causing the entire payload to be rejected.

That’s kind of like saying “Kerberos is insecure because it doesn’t use HTTPS” – nope, it signed the payload and validated the signature…

So you’re making a big fuss over nothing.

So I asked him about the attack vector raised by Kanthak, earlier in this thread. His response:

All Windows updates are Authenticode-signed; they can’t be tampered with.  WU/WUSA/DISM will reject them.  Even if you manually download them, they are still signed and can’t be tampered with.

As for executables, they are also Authenticode-signed.  Windows will tell you that they are untrusted at worst, and in many cases reject them due to an invalid signature, although if you try hard enough you can probably bypass all the warnings.  But these aren’t Windows updates.

There are many easier ways than a MitM attack to get people to download bad things ?

He certainly has a point!

4 users thanked author for this post.

Geo, AlexEiffel, abbodi86, MrBrian

Reply | Quote

“But these aren’t Windows updates”

Some updates in the Catalog are available as executables.

2 users thanked author for this post.

AlexEiffel, woody

Reply | Quote

From Ghacks :

Microsoft Update Catalog downloads are now using HTTPS
——————————————————-
https://www.ghacks.net/2022/04/02/microsoft-update-catalog-downloads-are-now-using-https/

The https link provided in the article works : https://www.catalog.update.microsoft.com/Home.aspx.

Cheers.

1 user thanked author for this post.

Alex5723

Reply | Quote

sorry for commenting on this 4 years late but it looks like Microsoft has recently “resolved” this problem as any actual downloads posted on MS Catalog are now found on https://catalog.s.download.windowsupdate.com instead of just http://download.windowsupdate.com

don’t ask why MS took so long in putting their MS Update Catalog downloads on their HTTPS site in 2022 but better late than never

3 users thanked author for this post.

abbodi86, PKCano, Susan Bradley

Reply | Quote

[Bob99]

OK, but I just got a cert warning from Firefox 98.0.2 about the site fe2.update.microsoft.com that the link catalog.s.download.windowsupdate.com redirects to.

Here’s the text:

…Firefox does not trust fe2.update.microsoft.com because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

Error code: SEC_ERROR_UNKNOWN_ISSUER

I’m guessing that, for now, FF doesn’t trust the root cert because of it being “self-signed”.

Would be great if one of the MVPs here or someone with good knowledge of the inner working of certs could take a dive into the cert chain to see just why FF might not like it. That way the rest of us can decide if the cert is worth permanently accepting.

Meanwhile, I’m off to ssllabs to see what they think of the site redirection and its cert.

…And, I’m back. Didn’t take too long. SSLLabs was fine with the cert belonging to the site in the actual link mentioned by @EP above, but they didn’t like the cert from the site that the link forwards to, fe2.update,microsoft.com.

According to their tests, fe2.update.microsoft.com’s cert isn’t trusted by the Mozilla, Apple, Android, nor Java trust stores, but is trusted by Windows and is in the Windows trust store.

So, where do we go from here? Add an exception to allow FF (and, perhaps, other browsers) to trust the site anyway until the cert makes it into the other trust stores?

Yet another edit: I just tried the site in Edge 100.0.1185.29, and IT didn’t like the site’s certificate either. Gave what it called a Privacy error with a white exclamation point inside a red triangle. Here’s the exact wording:

The server presented a certificate that wasn’t publicly disclosed using the Certificate Transparency policy. This is required for some certificates to make sure they are trustworthy and to protect against attackers.

The warning also had a little reason in all caps but in small type saying “NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED”. So, even though the certificate is in the Windows trusted cert store, MS’s own browser, Edge, doesn’t like it. All I gotta say about that is WOW.

In all fairness, on the error page there was a way to continue to the site, but is was a blue clickable link in a VERY small font. The link said “Continue to fe2.update.microsoft.com (unsafe)”.

• This reply was modified 3 years ago by Bob99. Reason: added cert testing results
• This reply was modified 3 years ago by Bob99. Reason: added info about attempting to access the site with Edge
• This reply was modified 3 years ago by Bob99.

1 user thanked author for this post.

windbg

Reply | Quote

fe2.update.microsoft.com require CA Root certificate “Microsoft Root Certificate Authority 2011”
it’s not added to Mozilla CA list
you need to find a way to import it manually to firfox

Reply | Quote

you need to find a way to import it manually to firfox

From what I recall, this can easily be done by first clicking the grey colored button labeled “Advanced” that’s in the warning page, and then clicking the grey colored button labeled “Accept the Risk and Continue”. I haven’t done that in a very long time, but that’s what used to work to get FF to import and accept what it thought of as a questionable certificate from a web site.

Probably similar procedure(s) for Chrome, Brave, Safari and others.

Reply | Quote