Microsoft: No more updates for OS using SHA-1 encryption

By /

It was established, all the way back in 2005 by cybersecurity experts that SHA-1 encryption is no longer effective as a deterrent against hackers. What makes SHA-1 flimsy as an encryption standard is the potential for collision attacks and other efficient methods of cracking the encryption. As a result, many technology giants have begun moving their products to other forms of encryption (such as SHA-2 or SHA-3). Microsoft legacy OS like Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 all currently utilize SHA-1. It is this that the company is trying to change.

In a security memo released by Microsoft, the company detailed its plan to completely eliminate SHA-1 from the aforementioned legacy OS. The goal is to have SHA-1 no longer in use by this summer and to force users to upgrade. All updates will cease for legacy OS if they are still running SHA-1.

Microsoft describes their plan as follows:

Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by July 2019. Any devices without SHA-2 support will not be offered Windows updates after July 2019. To help prepare you for this change, we will release support for SHA-2 signing in 2019. Some older versions of Windows Server Update Services (WSUS) will also receive SHA-2 support to properly deliver SHA-2 signed updates.

(by July 16, 2019): Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March and April will be required in order to continue to receive updates on these versions of Windows.

(by September 16, 2019): Legacy Windows updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only. No customer action is expected for this milestone.

It is surprising that it took Microsoft this long to implement this plan. As stated at the beginning of this article, SHA-1 was determined to be ineffective over a decade ago. Nevertheless, this push for stronger OS encryption is a positive step for better protection of users and their data.

Featured image: Pixabay

About The Author

Derek Kortepeter is a graduate of UCLA and tech journalist. Kortepeter specializes in areas such as cyber defense, privacy rights, cyber warfare, and governmental InfoSec policy.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top