Invalid Server Security Certificate when connecting to Windows Update...

Discussion in 'other security issues & news' started by Thelps, May 12, 2018.

  1. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    45
    The PC I'm trying to update manually via the Microsoft Update Catalog is reporting an Invalid Security Certificate from download.windowsupdate.com.

    This is indicative of a MITM (Man-In-The-Middle) type of hack whereby they intercept a data-transfer request and either provide false data or modify sent data so that the downloader receives malware insted of the requested files.

    Could anyone advise on how to avoid such a scenario? I don't want to be downloading malware instead of updates...
     
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    10,422
    Location:
    UK
    Is it the same using a different browser?
     
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,062
    Location:
    Outer space
    Afaik this is simply because the website is not available over HTTPS.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,551
    Location:
    U.S.A.
    Actually, it is available via HTTPS:

    MS_Catalog.png
     
    Last edited: May 13, 2018
  5. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    332
    Location:
    USA
    I get the same message from Firefox ESR 52.8. It tries to redirect to https://www.update.microsoft.com/ but gives this message:

    www.update.microsoft.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.
    With IE 11, the site doesn't try to load an https page but instead prompts me to install a Windows Update tool for Windows Vista (even though I am running W7). :confused:
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,551
    Location:
    U.S.A.
    This is what I receive from IE11 running on Win 10 1803:

    Update_Microsoft.png
     
  7. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,132
    Yes and no. See below:
    (Using IE11 on Win 7)
    Let's take for example the 2018-05 Security Only Quality Update for Windows 7 for x64-based Systems (KB4103712)
    First you go to the MS catalog link: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4103712
    Then you look for the appropriate item in the list :
    2018-05 Security Only Quality Update for Windows 7 for x64-based Systems (KB4103712)
    Click at the right side for the download; you get this:

    MS_2018-05-14_01.png

    Now look at the actual download link (with that red arrow):
    That link is:
    Code:
    http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/04/windows6.1-kb4103712-x64_44bc3455369066d70f52da47c30ca765f511cf68.msu
    And it is exactly that link that is http and not https
    Now try to use that link with https instead of http:
    Code:
    https://download.windowsupdate.com/c/msdownload/update/software/secu/2018/04/windows6.1-kb4103712-x64_44bc3455369066d70f52da47c30ca765f511cf68.msu
    and then you get a certificate error (again this all with IE11 on Win 7)
     
    Last edited: May 14, 2018
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,551
    Location:
    U.S.A.
    To get to the bottom of this, I ran a scan on https://www.update.microsoft.com/ using QUALS SSL Server test. The report is here for reference: https://www.ssllabs.com/ssltest/analyze.html?d=www.update.microsoft.com

    The browsers are failing it due to "SHA1 with RSA" and "Server negotiated HTTP/2 with blacklisted suite." Interestingly, only IE11 on Win 10 does the later failure; IE11 on other Win vers. do not.

    In any case, there is info in the report indicating the site for https purposes has been deprecated. Therefore, it is safe to assume that actual file downloads from the Windows Update Catalog web site are occurring from http://download.windowsupdate.com.
     
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,132
    The direct download links in the thread "No more individual patches for Windows 7 and 8" (thanks to Mister X and Mood and others) are indeed for a long time given with http and not https.
    Last page of that thread: https://www.wilderssecurity.com/thr...al-patches-for-windows-7-and-8.387895/page-22
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,062
    Location:
    Outer space
    Yes, I have no problem connecting to catalog.update.microsoft.com over HTTPS. But the TS said download.windowsupdate.com. If I visit that site I get the certificate error. If I choose to ignore it, it connects but doesn't load anything.

    Anyway @Thelps: after downloading the updates, check file properties, go to Digital Signatures, select and click Details. Make sure it says the signature is OK and the signer is Microsoft Corporation.
     
  11. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    45
    I still don't understand computers.

    Thought it was skill-based and knowledge-based but just seems everyone wants to be experts at something that usually isn't physically demanding, and the marketing departments of the IT sector are happy to pander to that.

    Anyway: How can I further ensure no one at all can read or copy information from my Hard Drive (HDD)?
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.