The company's plans to move away from SHA-1 to SHA-2 for digital signatures for OS updates has been pushed back to mid-year.
Senior Reporter, Computerworld | PT
Microsoft has revised its schedule to dump support for an outdated cryptographic hash standard by postponing the deadline for Windows 7.
Microsoft, like other software vendors, digitally "signs" updates before they are distributed via the Internet. SHA-1 (Secure Hash Algorithm 1), which debuted in 1995, was declared insecure a decade later, but it was retained for backward-compatibility reasons, primarily for Windows 7. Microsoft wants to ditch SHA-1 and rely only on the more-secure SHA-2 (Secure Hash Algorithm 2).
Late last year, Microsoft said that it would update Windows 7 and Windows Server 2008 R2 SP1 (Service Pack 1) this month with support for SHA-2. Systems running those operating systems would not receive the usual monthly security updates after April's collection, slated for release April 9, Microsoft promised at the time.
The update-or-die demand has now been pushed to July.
"Updates for legacy Windows versions will require that SHA-2 code signing support be installed" by July 16, stated a support document revised on Feb. 15. "The support [for SHA-2] released in March and April will be required in order to continue to receive updates on these versions of Windows." By "legacy," Microsoft meant Windows 7, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.
The update for Windows 7 and Windows Server 2008 R2 SP1 that will add SHA-2 support will ship on March 12, Microsoft added; Windows Server 2008 SP2 will get its version on April 9.
Machines that haven't installed the updates will receive security fixes through July 16, meaning they will get July's Patch Tuesday bunch. However, the next regularly-scheduled security updates, due to be delivered Aug. 13, will not be offered to those PCs and servers.
Microsoft will first sign all Windows updates using only SHA-2 come Sept. 16.
Organizations that rely on WSUS (Windows Server Update Services) 3.0 to manage and distribute Microsoft's updates must also retrieve and install a March 12 update to add SHA-2 support. Those that fail to do so by June 18 will be unable to deliver security updates to client systems.
Windows 10 users will not face a similar requirement, as the newer OS only accepts updates signed with SHA-2, and so doesn't require a refresh. As part of its efforts to purge SHA-1, though, Microsoft will stop dual-signing Windows 10 updates using both SHA-1 and SHA-2.
Microsoft did not give a reason for the three-month postponement of the Windows 7 update-signing deadline. The company may have decided that too many customers are still running the aged operating system to risk shutting off security updates months before its January 2020 retirement. Or Microsoft may simply have wanted a longer cushion between delivering the SHA-2 update to Windows 7 and ending SHA-1 signing, what with some recent debacles, notably the release-withdrawal-release of Windows 10 1809 last fall, in case something went amiss in March.
The revised schedule could be flushed again, Microsoft warned. "Please note that the timeline ... is subject to change," the support document said. "We will update this page as the process begins and as needed."
Senior Reporter Gregg Keizer covers Windows, Office, Apple/enterprise, web browsers and web apps for Computerworld.