Hi @ll, yesterdays "Security update deployment information: February 13, 2018" links the following MSKB articles for the security updates of Microsoft's Office products: Alternatively use yesterdays "February 2018 updates for Microsoft Office" and all the MSKB articles linked there, which are a superset of those named above. Each of these MSKB articles in turn contains one or two links to the download pages for the updates, which except 2 (of 22) are of the form (despite the HTTPS: used for the MSKB articles), ie. they use HTTP instead of HTTPS, inviting to MitM attacks, ALTHOUGH the server www.microsoft.com supports HTTPS and even redirects these requests to ! JFTR: this bad habit is of course present in ALMOST ALL MSKB articles for previous security updates for Microsoft's Office products too ... and Microsoft does NOT CARE A B^HSHIT about it! Microsoft also links all the MSKB articles for their Windows security updates, for example , in their "Security update deployment information: , ". Allmost all of these MSKB articles as well as those for Microsoft's Office products (see above) in turn contain a link to Microsoft's "Update Catalog", which ALL are of the form (despite the HTTPS: used for the MSKB articles), ie. they use HTTP instead of HTTPS, inviting to MitM attacks, ALTHOUGH the server catalog.update.microsoft.com [*] supports HTTPS! JFTR: even if you browse the "Microsoft Update Catalog" via [#], ALL download links published there use HTTP, not HTTPS! That's trustworthy computing ... the Microsoft way! Despite numerous mails sent to in the last years, and numerous replies "we'll forward this to the product groups", nothing happens at all. stay tuned Stefan Kanthak [*] catalog.update.microsoft.com is redirected to catalog.update.microsoft.com/v7/site, which in turn is redirected to www.catalog.update.microsoft.com/, for both HTTP and HTTPS CONNECT https://catalog.update.microsoft.com GET / http/1.1 | HTTP/1.1 302 Found | Cache-Control: private | Content-Length: 125 | Content-Type: text/html; charset=utf-8 | Location: /v7/site | Server: Microsoft-IIS/10.0 | X-AspNet-Version: 4.0.30319 | X-Powered-By: ASP.NET | Date: Wed, 14 Feb 2018 09:42:51 GMT | HTTP/1.1 301 Moved Permanently | Content-Length: 168 | Content-Type: text/html; charset=UTF-8 | Location: https://catalog.update.microsoft.com/v7/site/ | Server: Microsoft-IIS/10.0 | X-Powered-By: ASP.NET | X-Frame-Options: DENY | Date: Wed, 14 Feb 2018 09:42:51 GMT | HTTP/1.1 302 Redirect | Content-Length: 164 | Content-Type: text/html; charset=UTF-8 | Location: https://www.catalog.update.microsoft.com/ | Server: Microsoft-IIS/10.0 | X-Powered-By: ASP.NET | X-Frame-Options: DENY | Date: Wed, 14 Feb 2018 09:42:51 GMT | HTTP/1.1 200 OK | Cache-Control: private | Content-Length: 11135 | Content-Type: text/html; charset=utf-8 | Server: Microsoft-IIS/10.0 | X-AspNet-Version: 4.0.30319 | X-Powered-By: ASP.NET | X-Frame-Options: DENY | Strict-Transport-Security: max-age=31536000; includeSubDomains | Date: Wed, 14 Feb 2018 09:42:53 GMT [#] if your browser attemps to connect to these servers with HTTP/2, it fails: they use a blacklisted cipher suite with HTTP/2, see