News

Microsoft Publishes Windows Deadlines on Upgrading to SHA-2

• By Kurt Mackie
• 02/19/2019

Microsoft on Friday described its 2019 timeline for when it will start distrusting Secure Hash Algorithm-1 (SHA-1) in supported Windows systems, as well as in the Windows Server Update Services 3.0 Service Pack 2 management product.

The details on patching systems to support SHA-2, along with a table with deadlines for IT pros, can be found in this support article. The support article indicated when Microsoft plans to deliver so-called "standalone" updates that will cause SHA-1 to get distrusted for its older Windows systems, such as Windows 7 and Windows Server 2008. It also showed the dates when Microsoft will require that those updates be in place. If these updates aren't in place by July of this year, then future Windows updates won't arrive for those Windows operating systems.

"Any devices without SHA-2 support will not be offered Windows updates after July 2019," the support article warned.  

Although Windows 10 versions are listed in Microsoft's support article, it's the older Windows systems that may require action by IT pros. For instance, Microsoft will issue standalone security updates that will "introduce SHA-2 code sign support" for Windows 7 SP1 and Windows Server 2008 R2 SP1 with a targeted release date of March 12, 2019.

Four months later, on a targeted date of July 16, 2019, Microsoft will require that these updates be installed for Windows 7 SP1 and Windows Server 2008 R2 SP1. If they're not installed, then Windows updates won't arrive.

The arrival of the SHA-2 patch for Windows Server 2008 SP2 is a bit different. It's expected to arrive on April 9, 2019, with a required installation date of July 16, 2019.

While these patch deadlines may seem acute, the underlying products don't have much life remaining in terms of patch support anyway. Windows Server 2008 SP2 will fall out of "extended support" on Jan. 14, 2020, and that's the same end date for Windows 7. Organizations using those products have less than a year before patches stop arriving altogether. The alternatives to upgrading Windows is to pay for a "custom support" contract with Microsoft, subscribe to its Windows Server Extended Security Updates plan, or migrate workloads to Azure virtual machines.

Microsoft's support article didn't define what a "standalone" update is. A Microsoft spokesperson, though, clarified via e-mail that these updates won't arrive automatically and IT pros will have add them using the Windows Standalone Update Installer.

Stand-alone updates means they won't be available as an automatic update in Windows Update, or in Windows Update at all. You do it through the Window Standalone Update Installer, here for more info: https://support.microsoft.com/en-us/help/934307/description-of-the-windows-update-standalone-installer-in-windows

As for detecting SHA-1 use, the spokesperson pointed to Microsoft's File Checksum Integrity Verifier command-line utility. However, it seems to be an unsupported Microsoft tool that's typically used to see if files have been changed after suspected compromise, according to this support article description.

The 20-year-old SHA-1 cryptographic algorithm has long been considered unfit to use. Last year, Google and Dutch researchers demonstrated that it was possible to break SHA-1 with a brute-force-like attack. SHA-2 is supposedly immune from these attacks.

Microsoft began blocking SHA-1 by default in the Windows 10 "Creators Update" last year, and also set up "invalid certificate" warnings for users of the Microsoft Edge and Internet Explorer 11 browsers when encountering sites using SHA-1, as described in this announcement.