Running Windows 7 or Server 2008? You will need this patch!

Martin Brinkmann
Nov 20, 2018
Updated • Mar 14, 2019
Windows, Windows 7
|
25

Microsoft plans to release an update early next year for the company's Windows 7 and Windows Server 2008 operating systems that add support for SHA-2 update handling to them.

Updates are delivered using SHA-1 and SHA-2 currently. SHA-1 is a  hashing algorithm with known weaknesses and Microsoft plans to do away with SHA-1 support in April 2019 to use SHA-2, an improved hashing algorithm, exclusively going forward.

While that is no problem for Windows 8.1, Windows 10, or the server equivalents, it is one for devices running Windows 7 or Windows Server 2008. The reason is simple: SHA-2 is not supported by these operating systems when it comes to updates.

Any update that is delivered as SHA-2 exclusively, better, signed using SHA-2, can't be verified on Windows 7 or Windows Server 2008 devices. Means, these updates don't get installed on devices running these versions of Windows anymore unless the SHA-2 update patch is installed first.

windows 7 server 2008 code signing

Microsoft published a timeline of events on a new support page:

  • February 2019: The SHA-2 update is included in the Preview of Monthly Rollup updates and  available as a standalone update as well.
  • March 2019: The update is included in Monthly Rollup and Security-only updates for the operating systems.
  • April 2019: Starting in April, updates released in April 2019 or later will be delivered using SHA-2 signing exclusively.
  • July 2019: WSUS 3.0 SP2 will require that SHA-2 support is installed. All Windows servicing will be SHA-2 only.

Updates released prior to April 2019 will still be offered as SHA-1 signed versions as it would potentially lock systems out completely from receiving Windows Updates.

Devices that don't have the SHA-2 patch installed won't get new updates starting in April 2019 until the patch is installed on these devices.

To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.

As Woody Leonhard notes, it is critical that Microsoft gets the patch right the first time it is put out there in the open as there is little time to fix any issues that might come up.

Update: The patches are now available and distributed as security updates via Windows Update and other update management platforms. Check out the support article KB4472027 -- 2019 SHA-2 Code Signing Support requirement for Windows and WSUS -- for additional information.

Summary
Running Windows 7 or Server 2008? You will need this patch!
Article Name
Running Windows 7 or Server 2008? You will need this patch!
Description
Microsoft plans to release an update early next year for the company's Windows 7 and Windows Server 2008 operating systems that adds support for SHA-2 update handling to them.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Phase4 said on November 22, 2018 at 7:37 am
    Reply

    Simple answer is that I didn’t think to look beyond when I found it on archive.org. :-) Thanks for pointing it out.

  2. John in Mtl said on November 21, 2018 at 11:22 pm
    Reply

    This file is also still available on the Microsoft Catalog, so why get it from a third party at this time?:

    https://www.catalog.update.microsoft.com/Search.aspx?q=KB3033929

  3. Phase4 said on November 21, 2018 at 8:30 pm
    Reply

    I haven’t allowed WinUpdate since I can’t remember but it was prior to the KB’s that @AnorKnee Merce mentioned. I wanted to add these though and was able to track the files down and figured I’d put them up here in case anyone was interested.

    I found KB3033929 at archive.org
    https://ia600200.us.archive.org/4/items/Windows6.1KB3033929X64/Windows6.1-KB3033929-x64.msu

    and KB2921916 which is inside the hotfix 471834_intl_x64_zip.exe over at GitHub.
    https://github.com/CNMan/MicrosoftHotfixesList/blob/master/win7_winsrv2008r2_with_sp1/Windows7-x64.xml

    The actual link to the hotfix is
    https://hotfixv4.trafficmanager.net/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix485407/7600/free/471834_intl_x64_zip.exe

  4. Gary D said on November 21, 2018 at 5:00 pm
    Reply

    @ AnorKnee Merce

    I forgot to thank you for the links which you provided with reference KB 3033929.

    1. AnorKnee Merce said on November 21, 2018 at 7:13 pm
      Reply

      @ Gary D,

      You are welcome.
      .

      Further info about SHA-2 wrt updates for AV programs on Windows machines, …….

      https://success.trendmicro.com/solution/1113199-trend-micro-products-and-microsoft-s-sha-1-deprecation-policy-for-code-signing – 2 Sep 2018

  5. AnorKnee Merce said on November 21, 2018 at 1:27 pm
    Reply

    <<>>

    https://www.cnet.com/news/comodohacker-i-can-issue-fake-windows-updates/ – September 12, 2011
    .
    https://security.stackexchange.com/questions/19979/are-windows-updates-susceptible-to-tampering-eg-using-a-mitm-attack – Sep 10 ’12
    .
    .
    Since Windows Update is invulnerable, Win 7 has already been patched for SHA-2 support in 2015 and SHA-1 has been fully deprecated by M$ in 2017, why the need for this CRITICAL update for Win 7 in Feb 2019 from M$.?

  6. Bikka said on November 21, 2018 at 12:58 pm
    Reply

    None of the 60 or so Win 7 PCs in this office has had Windows Update for nearly 2 years now. This was because we did not agree to forced telemetry or Win 10 ‘upgrades’, with tiles, candy crush, more unstoppable telemetry. Recent update quality and still unstoppable telemetry gives us no pause to reconsider.

  7. dark said on November 21, 2018 at 12:36 pm
    Reply

    Who in their right mind runs Windows on servers

  8. Kwasiarz said on November 21, 2018 at 11:55 am
    Reply

    Martin, do you mean Server 2008 or Server 2008 R2?

    1. Martin Brinkmann said on November 21, 2018 at 12:10 pm
      Reply

      Both. Microsoft lists Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.

  9. stefann said on November 21, 2018 at 12:13 am
    Reply

    I stopped update my Windows 7 x64 mid 2016 when Microsoft started with its MONTHLY LOW QUALITY ROLLUPS.

  10. Gary D said on November 20, 2018 at 8:39 pm
    Reply

    @ AnorKnee Merce, Tom Hawack et al.

    I have just checked the installed updates on my Win 7 laptop.

    KB 3033929 was installed on 14/5/2015 so it looks like MS is doing something a bit suspicious with this SHA2 update.

    Click on AnorKnee Merce’s links to confirm that SHA2 is ALREADY installed on your hardware. If it is, this information from MS is irrelevant.

    1. Tom Hawack said on November 20, 2018 at 11:43 pm
      Reply

      I’ve had KB3033929 installed on 2016/07/04, Windows 7.
      Darn.

  11. P said on November 20, 2018 at 8:26 pm
    Reply

    Paid security support will continue for windows 7 till 2023 with the updates likely leaking to the interwebs.

  12. Yuliya said on November 20, 2018 at 7:34 pm
    Reply

    This is a good thing, ofcourse, assuming they get it right. Backporting features to 7 is almost always good. And I say almost because the telemetry backport was not, and will never be welcome, but thankfuly with 7 the user is still in control of the OS and not Microsoft.

    1. John Fenderson said on November 20, 2018 at 7:40 pm
      Reply

      “the telemetry backport was not”

      Agreed. If I had any Windows 7 machines, the release of that patch would have marked the day that I stopped accepting any patches for Win 7 at all.

  13. AnorKnee Merce said on November 20, 2018 at 7:31 pm
    Reply

    https://docs.microsoft.com/en-us/security-updates/securityadvisories/2015/3033929 – Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2 – Published: March 10, 2015
    .
    https://charismathics.zendesk.com/hc/en-us/articles/231993568-How-to-enable-SHA2-Support-on-Windows-7 – Nov 4, 2016
    .
    .
    According to M$’s own documentation above, Win 7 had already been patched(= KB3033929) for SHA-2 support since March 2015. What gives.?

    Is M$ trying to sneak in another GWX KB3035583 and/or KB2952664 or something else.? Bear in mind that by Feb 2019, EOL for Win 7 will be just around the corner = may be M$’s last chance to hood-wink the still-remaining millions of Win 7 users into upgrading to Win 10.
    .
    https://www.csoonline.com/article/2879073/encryption/all-you-need-to-know-about-the-move-from-sha1-to-sha2-encryption.html

    1. Yuliya said on November 21, 2018 at 8:52 pm
      Reply

      Interesting, I don’t have this update on a machine updated up to december 2017: imgur.com/CMNxhi9
      For anyone who wants to check, the powershell command is: get-hotfix -id KB3033929

      1. AnorKnee Merce said on November 22, 2018 at 10:41 am
        Reply

        @ Yuliya

        Windows Update in Win 7/8.1 can be set to manual, unlike Win 10’s forced auto-updates. So, you likely had Windows Update set to manual(eg “notify me but let me choose when to download and install updates”) and chose to not install KB3033929 when it was offered to your Win 7 computer in 2015.
        ___ Those with Windows Update set to the default of Automatic would have gotten KB3033929 in 2015 = have support for SHA-2 in Win 7.

        Similarly, that was how many Win 7 users manually avoided the install of GWX KB3035583 and KB2952664 in 2015 and 2016.

  14. Tom Hawack said on November 20, 2018 at 6:27 pm
    Reply

    I don’t update Windows 7 since two years now so I won’t have to go through this : installing an update to allow further Windows Updates with SHA-2 handled by Windows 7. Generally speaking Microsoft updates are all calibrated on Windows 10 aka “The Nightmare” and consequently previous versions have to swim or sink. Let mine sink, meanwhile it swims.

  15. John Fenderson said on November 20, 2018 at 6:07 pm
    Reply

    “As Woody Leonhard notes, it is critical that Microsoft gets the patch right the first time it is put out there in the open as there is little time to fix any issues that might come up.”

    I think I should start an office betting pool on whether or not this update will be borked.

  16. Justchillin said on November 20, 2018 at 5:43 pm
    Reply

    I don’t get it

    Why would MS introduce SHA-2 support in “Legacy Windows OSs” when the end of life (January 14, 2020) for these OSs is just a few months away?

    Yup, you guessed it right ;-)

    1. John Fenderson said on November 20, 2018 at 11:21 pm
      Reply

      14 months is a bit more than a “few months away”. If Microsoft didn’t do this, that would be over a year of security updates that would be missed!

  17. TelV said on November 20, 2018 at 5:38 pm
    Reply

    Any bets that Microsoft will screw things up before the patch becomes available making it impossible to install?

    1. Tom Hawack said on November 20, 2018 at 6:28 pm
      Reply

      Count me in. Not to mention that a bet can always be lost if a miracle arises.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.