Microsoft's next patch is a must if you want future Windows 7 security updates

[Rickta]

Microsoft's next patch is a must if you want future Windows 7 security updates
Either way, you've got less than a year to make further plans

 

 

 

The big picture: Keep in mind that extended support for Windows 7 ends on January 14, 2020. Even if you do opt for the upcoming SHA-2 update, you've got less than a year of guaranteed security updates coming. Tick tock.

Windows 7 and Windows Server 2008 users will want to circle March 12, 2019, on their calendars as that date will be crucial should you want to continue receiving security updates from Microsoft.

In a recent update to its support article on the matter, Microsoft outlined an important change coming to the aforementioned legacy operating systems.

Microsoft has used SHA-1 and SHA-2 hash algorithms to sign operating system updates as a way to verify their authenticity and ensure they weren’t tampered with during delivery. Over the years, however, as weaknesses have surfaced, processor performance has increased and cloud computing has taken off, SHA-1 has become less secure.

As such, Microsoft will be migrating from SHA-1 to SHA-2 support later this year. The standalone update to enable SHA-2 support on Windows 7 and Windows Server goes live on March 12, 2019.

You’ll still have a few months – until July 16, 2019 – to install the update. After that date, if you don’t have the requisite SHA-2 update installed, you’ll no longer be able to receive Windows security updates.

The full timeline for migrating to SHA-2 can be found in Microsoft’s support article.

< here >

[Karlston]

The company's plans to move away from SHA-1 to SHA-2 for digital signatures for OS updates has been pushed back to mid-year.

pan xiaozhen modified by IDG Comm. / Microsoft (CC0)

Microsoft has revised its schedule to dump support for an outdated cryptographic hash standard by postponing the deadline for Windows 7.

 

Microsoft, like other software vendors, digitally "signs" updates before they are distributed via the Internet. SHA-1 (Secure Hash Algorithm 1), which debuted in 1995, was declared insecure a decade later, but it was retained for backward-compatibility reasons, primarily for Windows 7. Microsoft wants to ditch SHA-1 and rely only on the more-secure SHA-2 (Secure Hash Algorithm 2).

 

Late last year, Microsoft said that it would update Windows 7 and Windows Server 2008 R2 SP1 (Service Pack 1) this month with support for SHA-2. Systems running those operating systems would not receive the usual monthly security updates after April's collection, slated for release April 9, Microsoft promised at the time.

 

The update-or-die demand has now been pushed to July.

 

"Updates for legacy Windows versions will require that SHA-2 code signing support be installed" by July 16, stated a support document revised on Feb. 15. "The support [for SHA-2] released in March and April will be required in order to continue to receive updates on these versions of Windows." By "legacy," Microsoft meant Windows 7, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.

 

The update for Windows 7 and Windows Server 2008 R2 SP1 that will add SHA-2 support will ship on March 12, Microsoft added; Windows Server 2008 SP2 will get its version on April 9.

 

Machines that haven't installed the updates will receive security fixes through July 16, meaning they will get July's Patch Tuesday bunch. However, the next regularly-scheduled security updates, due to be delivered Aug. 13, will not be offered to those PCs and servers.

 

Microsoft will first sign all Windows updates using only SHA-2 come Sept. 16.

 

Organizations that rely on WSUS (Windows Server Update Services) 3.0 to manage and distribute Microsoft's updates must also retrieve and install a March 12 update to add SHA-2 support. Those that fail to do so by June 18 will be unable to deliver security updates to client systems.

 

Windows 10 users will not face a similar requirement, as the newer OS only accepts updates signed with SHA-2, and so doesn't require a refresh. As part of its efforts to purge SHA-1, though, Microsoft will stop dual-signing Windows 10 updates using both SHA-1 and SHA-2.

 

Microsoft did not give a reason for the three-month postponement of the Windows 7 update-signing deadline. The company may have decided that too many customers are still running the aged operating system to risk shutting off security updates months before its January 2020 retirement. Or Microsoft may simply have wanted a longer cushion between delivering the SHA-2 update to Windows 7 and ending SHA-1 signing, what with some recent debacles, notably the release-withdrawal-release of Windows 10 1809 last fall, in case something went amiss in March.

 

The revised schedule could be flushed again, Microsoft warned. "Please note that the timeline ... is subject to change," the support document said. "We will update this page as the process begins and as needed."

 

Source: Microsoft delays Windows 7's update-signing deadline to July (Computerworld - Gregg Keizer)