Microsoft plans to release an update early next year for the company's Windows 7 and Windows Server 2008 operating systems that add support for SHA-2 update handling to them.
Updates are delivered using SHA-1 and SHA-2 currently. SHA-1 is a hashing algorithm with known weaknesses and Microsoft plans to do away with SHA-1 support in April 2019 to use SHA-2, an improved hashing algorithm, exclusively going forward.
While that is no problem for Windows 8.1, Windows 10, or the server equivalents, it is one for devices running Windows 7 or Windows Server 2008. The reason is simple: SHA-2 is not supported by these operating systems when it comes to updates.
Any update that is delivered as SHA-2 exclusively, better, signed using SHA-2, can't be verified on Windows 7 or Windows Server 2008 devices. Means, these updates don't get installed on devices running these versions of Windows anymore unless the SHA-2 update patch is installed first.
Microsoft published a timeline of events on a new support page:
Updates released prior to April 2019 will still be offered as SHA-1 signed versions as it would potentially lock systems out completely from receiving Windows Updates.
Devices that don't have the SHA-2 patch installed won't get new updates starting in April 2019 until the patch is installed on these devices.
To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.
As Woody Leonhard notes, it is critical that Microsoft gets the patch right the first time it is put out there in the open as there is little time to fix any issues that might come up.
Update: The patches are now available and distributed as security updates via Windows Update and other update management platforms. Check out the support article KB4472027 -- 2019 SHA-2 Code Signing Support requirement for Windows and WSUS -- for additional information.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.