There is a bad news for Windows 7 users who have not yet enabled SHA-2 support on their computers. The announcement was made on Microsoft’s 2019 SHA-2 Code Signing Support Requirement documents. According to the announcement, Windows 7 users will have to enable SHA-2 support in order to take advantage from Windows updates. The support document at Microsoft says, “The Secure Hash Algorithm 1 (SHA-1) was developed as an irreversible hashing function and is widely used as a part of code-signing.
Unfortunately, the security of the SHA-1 hash algorithm has become less secure over time due to weaknesses found in the algorithm, increased processor performance, and the advent of cloud computing. Stronger alternatives such as the Secure Hash Algorithm 2 (SHA-2) are now strongly preferred as they do not suffer from the same issues.”
For security protection, Windows OS updates are dual-signed through SHA-1 and SHA-2 algorithms both. They assist in authentication of updates which come directly from Microsoft and were not tampered with during their delivery. The move has come after weaknesses were faced in SHA-1 algorithm. In order to align the updates with industry standards, the Windows updates now will only be signed using SHA-2 algorithm exclusively which is more secure.
Microsoft now says that users who were running legacy OS versions including Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 will now have to enable SH-2 code for signing support installed on their devices by April 2019. All the devices which will not have SHA-2 support will not be offered any Windows updates after April 2019. To assist the users in preparing for this change, Microsoft will release support for SHA-2 signing in 2019. Some older versions of Windows Server Update Services (WSUS) will receive SHA-2 support also for properly delivering SHA-2 signed updates.
This latest security measure is scheduled to be released in less than half a year. The weaknesses within SHA-1 algorithm had constantly been criticized by researchers who had denounced the signing’s relatively simple circumvention. Owing to this, Microsoft is now going to switch entirely to update signing through SHA-2.
All the changes regarding this are mentioned in this support document.