How to prep legacy Windows systems for the switch to SHA-2

Install these patches on Windows 7 and other legacy platforms now so you can continue to receive security updates.

Microsoft recently announced that those running legacy platforms must install certain updates to provide support for SHA-2 hash values. Windows 7 and other legacy platforms use SHA-1 to compare hash values of the code. When an update is downloaded from Microsoft, it comes in parts that are recompiled together on the computer.

If all the pieces match the expected SHA-1 hash values, then the update is approved for installation. If the SHA-1 hash values are not proper, then those parts of the update are flagged to be redownloaded and compiled again. It’s a patching process that has stood the test of time and ensures that patches can’t be tampered with.

Until now.

The SHA-1 hash process has been found to be insecure and able to be spoofed. It’s time to now ensure that all updating mechanisms can handle SHA-2. If you are running Windows Software Update Services (WSUS) as installed on Windows Server 2016 or Windows 2019, those platforms currently support both SHA-1 and SHA-2 code signing. As noted in KB4472027, Microsoft will phase in the SHA-2 support first by flipping to dual code signing as of August 13, 2019 and then on September 16, it will mandate that you must have these patches in place.

Here is the timeline and actions you need to take on legacy systems.

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!