The Microsoft Update Catalog uses insecure HTTP links – not HTTPS links – on the download buttons, so patches you download from the Update Catalog are subject to all of the security problems that dog HTTP links, including man-in-the-middle attacks.
Even if you browse the “Microsoft Update Catalog” via the HTTPS link, ALL download links published there use HTTP, not HTTPS!
That’s trustworthy computing … the Microsoft way!
Despite numerous mails sent to <secure () microsoft com> in the last years, and numerous replies “we’ll forward this to the product groups,” nothing happens at all.
I didn’t believe it until I saw it myself — and you can see it, too. Head over to the Microsoft Update Catalog. For example, click on this (HTTPS) link to look at this month’s Win10 1709 cumulative update KB 4087256.
On the right, click on any of the Download buttons. You see the Download pane shown in the screenshot. Now right-click on the download link and choose Copy Link Location.
Now flip over to the KB 4087256 article and scroll down to the part that says you can get the patch if you go to the Microsoft Update Catalog website. Right-click on that link and you can see that the link points to: