[<prev] [next>] [day] [month] [year] [list]
Message-ID: <29C1F3C71A544A2C8B814FB3EF8577B2@W340>
Date: Wed, 14 Feb 2018 11:25:19 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Defense in depth -- the Microsoft way (part 52): HTTP used to distribute (security) updates, not HTTPS
Hi @ll,
yesterdays "Security update deployment information: February 13, 2018"
<https://support.microsoft.com/en-us/help/20180213> links the following
MSKB articles for the security updates of Microsoft's Office products:
<https://support.microsoft.com/kb/4011715>
<https://support.microsoft.com/kb/4011200>
<https://support.microsoft.com/kb/3114874>
<https://support.microsoft.com/kb/4011707>
<https://support.microsoft.com/kb/4011711>
<https://support.microsoft.com/kb/4011690>
<https://support.microsoft.com/kb/4011697>
<https://support.microsoft.com/kb/4011701>
<https://support.microsoft.com/kb/3172459>
<https://support.microsoft.com/kb/4011143>
<https://support.microsoft.com/kb/4011686>
<https://support.microsoft.com/kb/4011682>
<https://support.microsoft.com/kb/4011680>
Alternatively use yesterdays "February 2018 updates for Microsoft Office"
<https://support.microsoft.com/en-us/help/4077965> and all the MSKB
articles linked there, which are a superset of those named above.
Each of these MSKB articles in turn contains one or two links to the
download pages for the updates, which except 2 (of 22) are of the form
<http://www.microsoft.com/downloads/details.aspx?familyid=GUID>
(despite the HTTPS: used for the MSKB articles), ie. they use HTTP
instead of HTTPS, inviting to MitM attacks, ALTHOUGH the server
www.microsoft.com supports HTTPS and even redirects these requests to
<https://www.microsoft.com/downloads/details.aspx?familyid=GUID>!
JFTR: this bad habit is of course present in ALMOST ALL MSKB articles
for previous security updates for Microsoft's Office products
too ... and Microsoft does NOT CARE A B^HSHIT about it!
Microsoft also links all the MSKB articles for their Windows security
updates, for example <https://support.microsoft.com/kb/4074595>, in
their "Security update deployment information: <month> <day>, <year>".
Allmost all of these MSKB articles as well as those for Microsoft's Office
products (see above) in turn contain a link to Microsoft's "Update Catalog",
which ALL are of the form
<http://catalog.update.microsoft.com/v7/site/search.aspx?q=4074595>
(despite the HTTPS: used for the MSKB articles), ie. they use HTTP
instead of HTTPS, inviting to MitM attacks, ALTHOUGH the server
catalog.update.microsoft.com [*] supports HTTPS!
JFTR: even if you browse the "Microsoft Update Catalog" via
<https://www.catalog.update.microsoft.com/Home.aspx> [#],
ALL download links published there use HTTP, not HTTPS!
That's trustworthy computing ... the Microsoft way!
Despite numerous mails sent to <secure@...rosoft.com> in the last years,
and numerous replies "we'll forward this to the product groups", nothing
happens at all.
stay tuned
Stefan Kanthak
[*] catalog.update.microsoft.com is redirected to
catalog.update.microsoft.com/v7/site, which in turn is redirected to
www.catalog.update.microsoft.com/, for both HTTP and HTTPS
CONNECT https://catalog.update.microsoft.com
GET / http/1.1
| HTTP/1.1 302 Found
| Cache-Control: private
| Content-Length: 125
| Content-Type: text/html; charset=utf-8
| Location: /v7/site
| Server: Microsoft-IIS/10.0
| X-AspNet-Version: 4.0.30319
| X-Powered-By: ASP.NET
| Date: Wed, 14 Feb 2018 09:42:51 GMT
| HTTP/1.1 301 Moved Permanently
| Content-Length: 168
| Content-Type: text/html; charset=UTF-8
| Location: https://catalog.update.microsoft.com/v7/site/
| Server: Microsoft-IIS/10.0
| X-Powered-By: ASP.NET
| X-Frame-Options: DENY
| Date: Wed, 14 Feb 2018 09:42:51 GMT
| HTTP/1.1 302 Redirect
| Content-Length: 164
| Content-Type: text/html; charset=UTF-8
| Location: https://www.catalog.update.microsoft.com/
| Server: Microsoft-IIS/10.0
| X-Powered-By: ASP.NET
| X-Frame-Options: DENY
| Date: Wed, 14 Feb 2018 09:42:51 GMT
| HTTP/1.1 200 OK
| Cache-Control: private
| Content-Length: 11135
| Content-Type: text/html; charset=utf-8
| Server: Microsoft-IIS/10.0
| X-AspNet-Version: 4.0.30319
| X-Powered-By: ASP.NET
| X-Frame-Options: DENY
| Strict-Transport-Security: max-age=31536000; includeSubDomains
| Date: Wed, 14 Feb 2018 09:42:53 GMT
[#] if your browser attemps to connect to these servers with HTTP/2,
it fails: they use a blacklisted cipher suite with HTTP/2, see
<https://www.ssllabs.com/ssltest/analyze.html?d=catalog.update.microsoft.com>
Powered by blists - more mailing lists