Symantec releases a patch for the SHA-2 bug in Windows 7

win7 [English]Antivirus vendor Symantec has released a patch to fix the update issue on Windows 7 / Windows Server 2008 R2. Distribution is scheduled for August 21, 2019 for various language versions, the English version is said to have already been released. Here is some information on the topic. 


What exactly we are talking about?

Microsoft has changed the signing of Update for Windows 7 in August 2019 exclusively to SHA-2. I've addressed this, among other things, in the blog post Windows 7: From April 2019 'SHA-2-Support' is required. This is not a problem, because Microsoft has provided the relevant updates to SHA-2 support since months. So far, Microsoft has also provided dual-signed update packages signed with SHA-1 as well as SHA-2.

As of August 2019, however, the SHA-1 signature in the Windows 7 updates has been completely removed. These can only be installed if Windows 7 SP1, Windows Server 2008, Windows Server 2008 R2 and WSUS have been upgraded accordingly (see also WSUS: Endpoint decommissioned; SHA2 update required).

However, users of Windows systems that have Symantec Antivirus or Norton Antivirus installed have a problem since the August 2019 patchday. The antivirus solutions only detected updates signed with SHA2 (because of the missing SHA-1 signature) as malware and blocked these packages.

Symantec has published the KB article Windows 7/Windows 2008 R2 updates that are only SHA-2 signed are not available with Symantec Endpoint Protection installed . Microsoft has therefore blocked the deployment of the August 2019 updates for Windows 7 SP1 and Windows Server 2008 R2. The required August 2019 security updates were not offered. I reported in the blog post Symantec/Norton blocks Windows Updates (SHA-2).

Symantec startet rollout a patch

Through the following tweet by Woody Leonhard I became aware that Symantec has now released an update to solve this problem.


Leonhard received a notification from CA, which indicates the release of the patch:

Symantec released an updated version of Norton Internet Security that
fixes the SHA-2 patch problem for Windows 7 this morning (Tues). The new version will show up through Live Update (140+ mb).

Once the patched version is applied (v22.18.0.222), security roll-ups
for August (Group A – Aug 13 KB4512506) will appear in Windows Update
without user intervention. A reboot may be required for this to happen.

MS has not updated KB4512506 or KB4512486 to reflect this:

For Symantec Endpoint Protection users, the English 14.2 version has
been updated. Localized language versions will be available on the 21st.

The Support article about Symantec Endpoint Protection hasn't been udated yet. But I expect Symantec/Norton users will receive the fix later today and Microsoft to release the August 2019 security updates for affected Windows systems.

Cookies helps to fund this blog: Cookie settings

This entry was posted in issue, Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *