diff --git a/modules/update/update.fetch.inc b/modules/update/update.fetch.inc
index 428cace..618adbe 100644
--- a/modules/update/update.fetch.inc
+++ b/modules/update/update.fetch.inc
@@ -13,6 +13,9 @@
  * @see update_menu()
  */
 function update_manual_status() {
+  if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'])) {
+    return drupal_access_denied();
+  }
   _update_refresh();
   $batch = array(
     'operations' => array(
diff --git a/modules/update/update.module b/modules/update/update.module
index a59c7d7..348a63d 100644
--- a/modules/update/update.module
+++ b/modules/update/update.module
@@ -659,9 +659,11 @@ function _update_project_status_sort($a, $b) {
  */
 function theme_update_last_check($variables) {
   $last = $variables['last'];
+  $link_options = array('query' => array('token' => drupal_get_token()));
+  $link_options['query'] += drupal_get_destination();
   $output = '<div class="update checked">';
   $output .= $last ? t('Last checked: @time ago', array('@time' => format_interval(REQUEST_TIME - $last))) : t('Last checked: never');
-  $output .= ' <span class="check-manually">(' . l(t('Check manually'), 'admin/reports/updates/check', array('query' => drupal_get_destination())) . ')</span>';
+  $output .= ' <span class="check-manually">(' . l(t('Check manually'), 'admin/reports/updates/check', $link_options) . ')</span>';
   $output .= "</div>\n";
   return $output;
 }