Shouldn't Microsoft be signing updates so that redirection attacks don't work?
Elaborating on my question; I mean much more like Linux distributions which sign both packages (updates) and the index of those files. Some distributions use multiple hashs/digests to make collision attacks far less likely to succeed.
Such an attack could be either the traffic at layer 3 redirected via router compromise, via some name resolution weakness (possibly even to localhost as a way of malware upgrading from being able to edit the hosts file to having system level services).
The signing of both the update files and the list of updates could offer protection from an attack that would thus need to be valid for all of the signature checks, not just a single check.
Based on the info in the post, I'd guess that this is a test update of some sort and that it was pushed by mistake.
Disclosure: MSFT employee, but no knowledge of what this is about.
Microsoft sign updates and utilise HTTPS.
Given how few users are impacted by this suspect update, it may be the result of malware on their local machine. If malware has root then all bets are off, the signing requirement can be removed.
The signature is distributed alongside the binaries.
I'm not certain if the Windows Update system uses the same Autheticode system used for application binaries, but you can start reading here:
It verifies that the signer had access to the private key, and that the data signed by the private key is the same data that you are verifying with the public key.
It's like the other checksums (SHA-1/MD5/etc) with the addition of identity verification (so long as you can trust that the private-public keypair used to sign it is only accessible to parties you trust).
(I am not experienced in cryptography. This explanation might be a little simplistic.)
The odds that parties outside of Microsoft have access to their update signing key is actually seems pretty likely given the Snowden revelations. Consider the Stuxnet distribution strategy -- what a boon it'd be to be able to deploy that sort of machine-specific payload via the built-in update kit.