How to prep legacy Windows systems for the switch to SHA-2

Install these patches on Windows 7 and other legacy platforms now so you can continue to receive security updates.

patch on top of Windows logo
Thinkstock/Microsoft

Microsoft recently announced that those running legacy platforms must install certain updates to provide support for SHA-2 hash values. Windows 7 and other legacy platforms use SHA-1 to compare hash values of the code. When an update is downloaded from Microsoft, it comes in parts that are recompiled together on the computer.

If all the pieces match the expected SHA-1 hash values, then the update is approved for installation. If the SHA-1 hash values are not proper, then those parts of the update are flagged to be redownloaded and compiled again. It’s a patching process that has stood the test of time and ensures that patches can’t be tampered with.

Until now.

The SHA-1 hash process has been found to be insecure and able to be spoofed. It’s time to now ensure that all updating mechanisms can handle SHA-2. If you are running Windows Software Update Services (WSUS) as installed on Windows Server 2016 or Windows 2019, those platforms currently support both SHA-1 and SHA-2 code signing. As noted in KB4472027, Microsoft will phase in the SHA-2 support first by flipping to dual code signing as of August 13, 2019 and then on September 16, it will mandate that you must have these patches in place.

Here is the timeline and actions you need to take on legacy systems.

For those running WSUS on Windows 2008 sp2, install two updates:

  1.  Install KB4484071 on WSUS 3.0 sp2. You must manually download and install it from the Microsoft catalog site.
  2.  Install KB4493730 for Windows Server 2008 Sp2. This is a servicing stack patch for that platform.

For those running WSUS on Windows 2008 R2, install the following three updates:

  1. Install KB4484071 on WSUS 3.0 sp2. Manually download and install it from the Microsoft catalog site.
  2. Install KB4490628 for Server 2008 R2. This is a servicing stack patch for that platform. This update needs to be installed separately from all other patches.
  3. Install KB4474419 for Server 2008 R2. This installs SHA-2 code signing support for the platform itself.

Those still running Windows 7 workstations will need to install the following updates to continue to be able to install security updates:

  1. Install KB4490628 for Windows 7. This is a servicing stack patch for that platform that needs to be installed separately from all other patches.
  2. Install KB4474419 for Windows 7. This installs SHA-2 code signing support for the platform itself.

Install these updates before June 18, 2019. On that date, Windows 10 update signatures change from dual signed (SHA-1/SHA-2) to SHA-2 only. If you are running legacy WSUS, these updates must be in place to continue to manage Windows 10 security updates from WSUS 3.0 sp2. Note that none of these updates will allow WSUS 3.0 sp2 to support Windows 10 feature updates. Rather, they will allow WSUS 3.0 sp2 to deploy Windows 10 security updates.

The key update for WSUS 3.0 sp2, KB4484071, will not be automatically installed on that platform or offered to machines with WSUS 3.0 sp2 installed. You will need to manually install it from the catalog site. WSUS 3.0 sp2 was installable on both Server 2008 sp2 and Server 2008 R2, so if you are using WSUS on either of those two platforms, you will need to install that update.

For those of you running a network entirely of modern operating systems and modern patching platforms based on Windows Server 2016 or Windows Server 2019, the WSUS implementation on those platforms need no action on your part. The switch to SHA-2 will be automatic and not noticed by you as these platforms currently support both SHA-1 and SHA-2 code signing.

For those running WSUS 4.0 on Windows Server 2012, or the WSUS role on Server 2012 R2, these platforms are also new enough to support SHA-1 and SHA-2. No action is needed on those platforms as well to support the SHA-2 code signing.

Evaluate your patching systems and legacy operating systems and act now to maintain the ability to deploy security updates.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!