Microsoft will, earlier than expected, release an update that brings support for the more secure SHA-2 algorithm to Windows 7 and Windows Server 2008. The update was scheduled for April this year, but Microsoft has decided to release it a month earlier.
Next Patch Tuesday, in March this year, Windows 7 and Window Server 2008 will get the update that allows Microsoft to sign its patches with only the SHA-2 algorithm. SHA-2 replaces SHA-1, which is considered unsafe nowadays.
From June this year, all Windows updates will be distributed with only an SHA-2 signature which should make Windows Update more secure for older operating systems. Systems that don’t support SHA-2 will no longer be able to install updates from then. It’s therefore recommended installing the SHA-2 update as soon as possible.
Like all major tech companies, Microsoft signs its software. This allows software and users to verify that the updates come from a trusted source and has not been manipulated by third parties. So far, Microsoft signed its software with both SHA-1 and SHA-2 to be compatible with both old and new systems.
However, SHA-1 has been regarded as insecure since 2005 when security researchers disclosed a theoretical attack on SHA-1. In 2017 the algorithm was cracked in practice and since then it’s become known that SHA-1 can be fairly easy cracked. This allows potential attackers to add malware to an update and sign it again, after which it appears to be authentic to both software and users.
SHA-2, the successor of SHA-,1 has not been cracked yet and is still regarded as secure. It’s the default method used by Windows 8.1 and Windows 10.
Also Google and Mozilla consider SHA-1 as insecure, and therefore no longer support SHA-1 based SSL certificates which are used to encrypt internet traffic by HTTPS websites.