The Microsoft Update Catalog uses insecure HTTP links – not HTTPS links – on the download buttons, so patches you download from the Update Catalog are subject to all of the security problems that dog HTTP links, including man-in-the-middle attacks.
Security researcher Stefan Kanthak, writing on Seclist’s Bugtraq mailing list, elaborates:
Even if you browse the “Microsoft Update Catalog” via the HTTPS link, ALL download links published there use HTTP, not HTTPS!
That’s trustworthy computing … the Microsoft way!
Despite numerous mails sent to <secure () microsoft com> in the last years, and numerous replies “we’ll forward this to the product groups,” nothing happens at all.