The PC I'm trying to update manually via the Microsoft Update Catalog is reporting an Invalid Security Certificate from download.windowsupdate.com. This is indicative of a MITM (Man-In-The-Middle) type of hack whereby they intercept a data-transfer request and either provide false data or modify sent data so that the downloader receives malware insted of the requested files. Could anyone advise on how to avoid such a scenario? I don't want to be downloading malware instead of updates...
I get the same message from Firefox ESR 52.8. It tries to redirect to https://www.update.microsoft.com/ but gives this message: www.update.microsoft.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. With IE 11, the site doesn't try to load an https page but instead prompts me to install a Windows Update tool for Windows Vista (even though I am running W7).
Yes and no. See below: (Using IE11 on Win 7) Let's take for example the 2018-05 Security Only Quality Update for Windows 7 for x64-based Systems (KB4103712) First you go to the MS catalog link: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4103712 Then you look for the appropriate item in the list : 2018-05 Security Only Quality Update for Windows 7 for x64-based Systems (KB4103712) Click at the right side for the download; you get this: Now look at the actual download link (with that red arrow): That link is: Code: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/04/windows6.1-kb4103712-x64_44bc3455369066d70f52da47c30ca765f511cf68.msu And it is exactly that link that is http and not https Now try to use that link with https instead of http: Code: https://download.windowsupdate.com/c/msdownload/update/software/secu/2018/04/windows6.1-kb4103712-x64_44bc3455369066d70f52da47c30ca765f511cf68.msu and then you get a certificate error (again this all with IE11 on Win 7)
To get to the bottom of this, I ran a scan on https://www.update.microsoft.com/ using QUALS SSL Server test. The report is here for reference: https://www.ssllabs.com/ssltest/analyze.html?d=www.update.microsoft.com The browsers are failing it due to "SHA1 with RSA" and "Server negotiated HTTP/2 with blacklisted suite." Interestingly, only IE11 on Win 10 does the later failure; IE11 on other Win vers. do not. In any case, there is info in the report indicating the site for https purposes has been deprecated. Therefore, it is safe to assume that actual file downloads from the Windows Update Catalog web site are occurring from http://download.windowsupdate.com.
The direct download links in the thread "No more individual patches for Windows 7 and 8" (thanks to Mister X and Mood and others) are indeed for a long time given with http and not https. Last page of that thread: https://www.wilderssecurity.com/thr...al-patches-for-windows-7-and-8.387895/page-22
Yes, I have no problem connecting to catalog.update.microsoft.com over HTTPS. But the TS said download.windowsupdate.com. If I visit that site I get the certificate error. If I choose to ignore it, it connects but doesn't load anything. Anyway @Thelps: after downloading the updates, check file properties, go to Digital Signatures, select and click Details. Make sure it says the signature is OK and the signer is Microsoft Corporation.
I still don't understand computers. Thought it was skill-based and knowledge-based but just seems everyone wants to be experts at something that usually isn't physically demanding, and the marketing departments of the IT sector are happy to pander to that. Anyway: How can I further ensure no one at all can read or copy information from my Hard Drive (HDD)?
