Mandatory update for Windows 7, 2008 to eliminate weak update hashes

Users of Windows 7 and Windows Server 2008 will soon have to roll out a mandatory patch if they want to continue updating their systems, as Mary Jo Foley points out.

Currently, Microsoft's Windows updates use two different hashing algorithms to allow Windows to detect any attempt to alter or modify the update files: SHA-1 and SHA-2. Windows 7 and Server 2008 check for SHA-1 patches; Windows 8 and later use SHA-2 hashes instead. The March fix will include a stand-alone update for Windows 7, Windows Server 2008 R2, and WSUS to support SHA-2 hash patches. The April patch will include an equivalent update for Windows Server 2008.

The SHA-1 algorithm, published for the first time in 1995, takes inputs and produces a value called hash or digest of 20 bytes long. By design, any minor changes to the input should produce, with high probability, an extremely different hash value. SHA-1 is no longer considered secure because well-funded organizations have managed to generate hash collisions – two different files that nonetheless have the same SHA-1 hash. If a collision could be generated for a Windows update, it would be possible for an attacker to produce a malicious update that nevertheless appears to the system to have been produced by Microsoft and not tampered with thereafter.

This weakness of SHA-1 has seen its gradual depreciation of the systems that use it. Modern browsers no longer trust SSL certificates using SHA-1. The changes made to Windows Update are part of this ongoing process of phasing out the old algorithm. As of June 18, 2019 (that is, taking effect on Tuesday's July fix), Windows 10 updates will only include SHA-2 hashes. Starting July 16, the new Windows 7, Server 2008, and Server 2008 R2 fixes will only include SHA-2 hashes, and starting September 16, legacy Windows updates with two SHA-1 / SHA summary files -2 will be replaced by SHA-2-. only versions.

With patches in place, these changes should be incorporated. Without the patches, however, the machines will no longer be able to install other Windows updates. SHA-2 patches will be stand-alone updates, so even businesses that are holding back other patches for one reason or another should be able to install them without difficulty.