SHA-2 patch for Windows 7 arrives on March 2019

win7[German]A brief information for users of Windows 7 and the server pendants. Microsoft will release a critical standalone security update for Windows 7 and Windows Server 2008 / R2 in March 2019, which upgrades these operating systems for SHA-2 support. Here some information about what it is about and when exactly what happens.


Advertising

What exactly is the SHA-2 topic?

Users of Windows 7 SP1 (and its server counterparts) and WSUS will need a special update from April 2019 onwards. This which will enable the machine to handle SHA2 code signatures in update packages. Without this update, these machines can no longer process updates.

The reason for this is the fact that signing updates with SHA-1 hash values has not been considered secure since a while. Microsoft will therefore discontinue signing update packages with SHA-1 and SHA-2 from July 2019 onward. Microsoft will only provide updates signed with SHA-2. While SHA-2 support is available from Windows 8.1, it is missing in Windows 7 and Windows Server 2008 /R2.

Customers using Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 (and WSUS 30. SP2) must have SHA-2 code signing support installed on these systems by April 2019. Windows systems without SHA-2 support will no longer be eligible for Windows updates from April 2019. 

I had blogged about that (with more details) in November 2018 within my blog post Windows 7: From April 2019 ‘SHA-2-Support’ is required. However, Microsoft has not provided details and a timetable for the Windows 7 update in November 2018.

A security update will be released in March 2019

Since the February 2019 updates contained nothing of the kind, there is not much time left. User @abbodi86 has now noticed that Microsoft has extended its KB article 2019 SHA-2 Code Signing Support requirement for Windows and WSUS on February 16, 2019 with concrete dates. Here are the details:


Advertising

Target Date Event Applies To
March 12, 2019 Stand Alone updates that introduce SHA-2 code sign support will be released as security updates. Windows 7 SP1,
Windows Server 2008 R2 SP1.
March 12, 2019 Stand Alone update will be delivered to WSUS 3.0 SP2 that will support delivering SHA-2 signed updates. For those customers using WSUS 3.0 SP2, this update should be installed no later than June 18, 2019. WSUS 3.0 SP2
April 9, 2019 Stand Alone updates that introduce SHA-2 code sign support will be released as security updates. Windows Server 2008 SP2.
June 18, 2019 Windows 10 updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. Windows 10 1709,
Windows 10 1803,
Windows 10 1809,
Windows Server 2019

June 18, 2019

Required: For those customers using WSUS 3.0 SP2, the updates should installed by this date. WSUS 3.0 SP2
July 16, 2019 Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March and April will be required in order to continue to receive updates on these versions of Windows. Windows 7 SP1,
Windows Server 2008 R2 SP1,
Windows Server 2008 SP2.
July 16, 2019 Windows 10 updates signatures changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. Windows 10 1507,
Windows 10 1607,
Windows 10 1703
August 13, 2019 Contents of updates for legacy Windows versions will be SHA2 signed (embed signed binaries and catalogs). No customer action is expected for this milestone. Windows 7 SP1,
Windows Server 2008 R2 SP1,
Windows Server 2008 SP2.
September 16, 2019 Legacy Windows updates signatures  changed from dual signed (SHA1/SHA2) to SHA2 only. No customer action is expected for this milestone. Windows 7 SP1,
Windows Server 2008 R2 SP1,
Windows Server 2008 SP2,
Windows Server 2012,
Windows 8.1,
Windows Server 2012 R2

Customers using WSUS 3.0 SP2 are encouraged to update their servers with the SHA2 updates for WSUS 3.0 SP2 by June 18, 2019. This is the only way to ensure that SHA2-signed updates can be distributed. (via)


Advertising
This entry was posted in Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *