by Martin Brinkmann on November 20, 2018 in Windows – 25 comments
Microsoft plans to release an update early next year for the company’s Windows 7 and Windows Server 2008 operating systems that add support for SHA-2 update handling to them.
Updates are delivered using SHA-1 and SHA-2 currently. SHA-1 is a hashing algorithm with known weaknesses and Microsoft plans to do away with SHA-1 support in April 2019 to use SHA-2, an improved hashing algorithm, exclusively going forward.
While that is no problem for Windows 8.1, Windows 10, or the server equivalents, it is one for devices running Windows 7 or Windows Server 2008. The reason is simple: SHA-2 is not supported by these operating systems when it comes to updates.
Any update that is delivered as SHA-2 exclusively, better, signed using SHA-2, can’t be verified on Windows 7 or Windows Server 2008 devices. Means, these updates don’t get installed on devices running these versions of Windows anymore unless the SHA-2 update patch is installed first.
Microsoft published a timeline of events on a new support page:
- February 2019: The SHA-2 update is included in the Preview of Monthly Rollup updates and available as a standalone update as well.
- March 2019: The update is included in Monthly Rollup and Security-only updates for the operating systems.
- April 2019: Starting in April, updates released in April 2019 or later will be delivered using SHA-2 signing exclusively.
- July 2019: WSUS 3.0 SP2 will require that SHA-2 support is installed. All Windows servicing will be SHA-2 only.
Updates released prior to April 2019 will still be offered as SHA-1 signed versions as it would potentially lock systems out completely from receiving Windows Updates.
Devices that don’t have the SHA-2 patch installed won’t get new updates starting in April 2019 until the patch is installed on these devices.
To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.
As Woody Leonhard notes, it is critical that Microsoft gets the patch right the first time it is put out there in the open as there is little time to fix any issues that might come up.