Microsoft Upgrades all System Updates to SHA-2 Code Signing
Microsoft has announced they will no longer use Secure Hash Algorithm 1 (SHA-1) to authenticate Windows operating system updates due to security concerns associated with the algorithm.
Microsoft customers with Windows 7 or Windows Server 2008 will be affected by this change and must install SHA-2 code-signing support for these devices by July 16, 2019. Without support for SHA-2, devices will no longer receive updates after July and will then be vulnerable to security threats.
In the past, Microsoft updates were dual-signed using both SHA-1 and SHA-2. These algorithms verify the authenticity of updates from Microsoft and ensure they were not interfered with during delivery. Because of weaknesses in SHA-1, Microsoft will now sign security certificates with SHA-2 only.
This affects Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2. Windows 10 users will not be required to take any action. Microsoft will begin releasing updates for the affected systems on March 12th, 2019.
| Target Date | Event | Applies To |
| March 12, 2019 | Stand Alone updates that introduce SHA-2 code sign support will be released as security updates. | Windows 7 SP1, Windows Server 2008 R2 SP1. |
| March 12, 2019 | Stand Alone update will be delivered to WSUS 3.0 SP2 that will support delivering SHA-2 signed updates. For those customers using WSUS 3.0 SP2, this update should be installed no later than June 18, 2019. | WSUS 3.0 SP2 |
| April 9, 2019 | Stand Alone updates that introduce SHA-2 code sign support will be released as security updates. | Windows Server 2008 SP2. |
| June 18, 2019 | Windows 10 updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. | Windows 10 1709, Windows 10 1803, Windows 10 1809, Windows Server 2019 |
| June 18, 2019 | Required: For those customers using WSUS 3.0 SP2, the updates should installed by this date. | WSUS 3.0 SP2 |
| July 16, 2019 | Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March and April will be required in order to continue to receive updates on these versions of Windows. | Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2. |
| July 16, 2019 | Windows 10 updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. | Windows 10 1507, Windows 10 1607, Windows 10 1703 |
| August 13, 2019 | Contents of updates for legacy Windows versions will be SHA2 signed (embed signed binaries and catalogs). No customer action is expected for this milestone. | Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2. |
| September 16, 2019 | Legacy Windows updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. | Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 |
See the most current version of this official chart here.
Security Concerns Surrounding SHA-1
Questions about the strength of the SHA-1 algorithm have circulated for a while. In 2017, Microsoft started blocking websites with SSL Certificates signed using SHA-1 in Edge and Internet Explorer. Weaknesses found in the algorithm as well as increased processor performance, and cloud computing have all contributed to making SHA-1 less secure.
SHA-2 runs on the same algorithm as SHA-1 but is not affected by the same weaknesses. SHA-2 uses different input and output sizes that give it much stronger security.
For more information about Secure Hash Algorithms, see this page.
End of Support for Windows 7 and Windows Server 2008 Looms
While these updates are important for ensuring secure systems in the short term, don’t forget that both Window 7 and Windows Server 2008 are scheduled to go end of support on January 14, 2020. This means updating to SHA-2 will only buy you one year of updates.
Planning for end of support scenarios early on can save your business from disruptions caused by noncompliance and security threats posed by unsupported and out-of-date technologies.
The good news is Microsoft offers multiple options for upgrading your systems that will allow you to maintain security whether you need to wait and leverage upcoming refresh plans or are ready to transform your infrastructure right away.
Properly Updating Systems
PEI recommends SHA-2 code-signing updates provided by Microsoft are installed on all affected systems as quickly as your update procedure will allow to prevent unnecessary security risks.
If you need assistance preparing for or installing these updates, our operations team can help. Contact us here or by phone at 303-786-7474.
Read more about this in the News on ZDNet
