News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • A “critical” Win7/Server 2008 patch coming in February/March really IS critical

    Posted on November 20th, 2018 at 06:59 woody Comment on the AskWoody Lounge

    Microsoft is changing to the SHA-2 encryption method for all of its updates. The change will happen in April. In order to get new updates starting in April, your Win7 or Server 2008 (or older version of WSUS) has to be patched.

    Details in Computerworld Woody on Windows.

    Thx @abbodi86

    If that helped, take a second to support AskWoody on Patreon

    Home Forums A “critical” Win7/Server 2008 patch coming in February/March really IS critical

    Tagged: 

    This topic contains 40 replies, has 23 voices, and was last updated by

     woody 2 months ago.

    • Author
      Posts
    • #234654 Reply

      woody
      Da Boss

      Microsoft is changing to the SHA-2 encryption method for all of its updates. The change will happen in April. In order to get new updates starting in
      [See the full post at: A “critical” Win7/Server 2008 patch coming in February/March really IS critical]

    • #234659 Reply

      Seff
      AskWoody Plus

      Something to look forward to!

    • #234657 Reply

      anonymous

      Oh oh I  wonder if this will go smooth or be a nightmare.

    • #234661 Reply

      geekdom
      AskWoody Plus

      My goal is to keep my computer operational. To that end, I will patch as necessary.

      Group G{ot backup} Win7Pro · x64 · SP1 · i3-3220 · TestBeta
      2 users thanked author for this post.
    • #234666 Reply

      AlexN
      AskWoody Lounger

      Don’t be surprised if this comes packaged with some ogres that’ll impede W7 functionality.

      Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
      A weatherman that can code

      1 user thanked author for this post.
    • #234669 Reply

      anonymous

      i have a polite request, can someone please post a link to the benefits of win7 group w ?

    • #234689 Reply

      anonymous
      • #234786 Reply

        Steve S.
        AskWoody Plus

        I saw these links on ghacks and wondered what the heck is up, as well.  Since Microsoft added SHA-2 to Windows 7 back in 2015/2016, what’s this ‘new update’ all about?? Hopefully someone here with a higher pay grade than me can explain things….

        Win7 Pro x64 (Group B), Win10 Pro x64 1809, Linux Mint + a cat with 'tortitude'.

        • #234866 Reply

          Noel Carboni
          AskWoody_MVP

          I’ve been wondering the same thing.

          Smells funny from here.

          -Noel

          2 users thanked author for this post.
        • #234925 Reply

          walker
          AskWoody Lounger

          @steve S.:  How does a user know which update they need?  I don’t know how to find this information.  Have only updated as indicated:  Win 7, x64, Home Premium, Group A.  Don’t even know what this SHA-2 is.  As usual, I am the epitome of the “computer illiterate”, therefore it is difficult to relate to this new pending change.

          Any and all help would be most appreciated.  Thank you to all.

        • #235054 Reply

          Sportsman
          AskWoody Lounger

          The last time Windows 7 got “patched” for SHA-2 (KB3033929, as well as its predecessor), it left my machine unusable, and I was forced to arduously uninstall the patches — with 3 reboots apiece — both times.

          Windows 10 Home 64-bit

    • #234701 Reply

      lurks about
      AskWoody Lounger

      I found a link discussing SHA-1 deprecation (https://www.venafi.com/education-center/ssl/sha-1-deprecation). It notes that NIST deprecated SHA-1 in 2011. I would have thought MS would have already migrated the update service to SHA-2 sometime ago.

    • #234724 Reply

      warrenrumak
      AskWoody Plus

      I feel bad for anyone stuck supporting Server 2008 systems in 2019.  Even 2008 R2 was a huge improvement in quality.

    • #234734 Reply

      anonymous

      The phrase “SHA-2 encryption” is technically incorrect, SHA-2 is a suite of hash algorithms and can’t encrypt anything by itself.  Microsoft is using it as a hash function for digital signatures.

      2 users thanked author for this post.
      Elly,
      b
    • #234740 Reply

      OscarCP
      AskWoody Plus

      Is there some way the Security Only/SHA-2 patch in March, particularly the SHA-2 part, can be tested to see if it is working OK, before the implementation by MS of SHA-2 in April?

       

      • #234802 Reply

        The Surfing Pensioner
        AskWoody Plus

        I should think the safest way forward will be to install the standalone patch initially, at least until we can be confident the security-only patch is bug-free.

        2 users thanked author for this post.
        • #234830 Reply

          OscarCP
          AskWoody Plus

          Thanks, TSP: I missed the mention to the “stand alone patch” in Woddy’s “Computerworld” article:

          The timeline says that this coming February’s Monthly Rollup preview will have the SHA-2 code, as will a standalone patch. (No indication about whether that patch will be installed automatically.) Then, in March, the usual Monthly Rollup and Security-only patches will both include the new SHA-2 conversant code. ”

          Not sure what “conversant code” means. But it looks like there will be some potentially helpful developments courtesy of MS in March. As usual, I’ll await to see if anyone is badly bitten by whatever comes and, if not, I’ll patch away.

          Also, I am intrigued by SteveS entry: #234786 .

          1 user thanked author for this post.
          • #234887 Reply

            anonymous

            Yep had to look up the word myself, Woody used both the archaic and modern meanings of that word.

        • #234846 Reply

          GoneToPlaid
          AskWoody Plus

          That makes total sense, so that one can uninstall it if it is found to have issues.

    • #234821 Reply

      anonymous

      Why an eleventh hour security change to an OS they want to close down?

      Something doesn’t quite smell right here.

      1 user thanked author for this post.
      • #234828 Reply

        PKCano
        Da Boss

        This is not a security change just for Win7 although these updates apply to Win7. Windows Update for all versions of Windows will be using SHA-2 beginning in April 2019. Win8.1/10 already have the capability. Win7 does need to get updates through Jan, 2020, so the change will have to be made to make this possible.

        1 user thanked author for this post.
    • #234832 Reply

      anonymous

      I just read a post on gHacks that says MS previously released an update related to SHA-2.

      The post (by AnorKnee Merce) says that KB3033929 (March 2015) was supposed to enable SHA-2 support on W7.

      https://docs.microsoft.com/en-us/security-updates/securityadvisories/2015/3033929

      Is this new patch actually some sort of servicing stack update, or is MS trying to scam W7 users?

      -lehnerus2000

       

      • #234837 Reply

        PKCano
        Da Boss

        I am going to guess that whatever patch(s) Microsoft issues to facilitate SHA-2 on Win7 will supercede what has been installed in the past, and it will be what Windows Update looks for in order to serve updates to Win7 computers for the rest of the time until EOL in Jan. 2020.

        or is MS trying to scam W7 users?

        No, MS is not trying to scam Win7.

        2 users thanked author for this post.
    • #234840 Reply

      fernlady
      AskWoody Lounger

      KB3033929 (March 2015) shows up in history BUT not in the installed updates. Should I worry?

      Windows 7 Home Premium x64 AMD Group A Realtek PCLe GBE Family Controller

      • #234843 Reply

        PKCano
        Da Boss

        Noe need to worry. The necessary update will be available before the time of the transition.

        2 users thanked author for this post.
    • #234851 Reply

      Lars220
      AskWoody Lounger

      Can we still be on paranoia alert? PKCano said ‘and it will be what Windows Update looks for in order to serve updates to Win7 computers’ OR maybe serve Upgrades ? I wonder if Josh Mayfields GWX Control Panel still will block Get Windows 10 on our Win7 machines? Where did I put that tin foil hat?

    • #234874 Reply

      anonymous

      The earlier update was probably to add SHA2 support to SSL/TLS, code signing, IE, etc.  This upcoming update is to actually implement SHA2 usage in Windows Update.

      2 users thanked author for this post.
    • #234901 Reply

      anonymous

      But despite its actions, Microsoft contends that its Windows Update is protected from any threats from false security certificates.

      “Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers,” Microsoft engineer Jonathan Ness wrote in the blog. “The Windows Update client will only install binary payloads signed by the actual Microsoft root CA certificate, which is issued and secured by Microsoft. Also, Windows Update itself is not at risk, even to an attacker with a fraudulent certificate.”

      https://www.cnet.com/news/comodohacker-i-can-issue-fake-windows-updates/ – September 12, 2011
      .
      https://security.stackexchange.com/questions/19979/are-windows-updates-susceptible-to-tampering-eg-using-a-mitm-attack – Sep 10 ’12
      .
      Since Windows Update is invulnerable, Win 7 has already been patched for SHA-2 support in 2015 and SHA-1 has been fully deprecated by M$ in June 2017, why the need for this CRITICAL update for Win 7 in Feb 2019 from M$.?

      3 users thanked author for this post.
      • #235022 Reply

        anonymous

        Microsoft’s playing themselves if they really think their systems are invulnerable.

      • #235045 Reply

        Susan Bradley
        AskWoody MVP

        As I read it this would be disabling SHA-1 and enforcing a SHA-2 only hash computation.  The bad guys get smarter all the time.  It’s all about ensuring that bad guys can’t spoof the updates.

        Susan Bradley Patch Lady

        1 user thanked author for this post.
        • #235086 Reply

          mn–
          AskWoody Lounger

          Of course, cutting compatibility with older updates, even if it’s for security reasons, has certain risks too… it’s just, which is the lesser risk here…?

      • #235091 Reply

        anonymous

        @ Susan Bradley

        Summary

        To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.

        Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by April 2019. Any devices without SHA-2 support will not be offered Windows updates after April 2019. To help prepare you for this change, we will release support for SHA-2 signing in 2019. Some older versions of Windows Server Update Services (WSUS) will also receive SHA-2 support to properly deliver SHA-2 signed updates. Refer to the Product Updates section for the migration timeline.

        https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus

    • #235314 Reply

      laidbacktokyo
      AskWoody Lounger

      It’s just a fun. A forthcoming another day SHA-3-4-5 etc would be MAYBE ok but if looking just a week ahead where is that d**n preview rollup of Nov2018? I know that there is no m$ 3rd Tue of month schedule anymore but….

      p.s. Despite of the m$ current way of updating the win7 CPU drivers & Ntoskrnl.exe starting from Aug2018 once or even twice per month in releases of rollups/previews, the DWM.exe crashes 2018 issue with error ID9020 remains generally unresolved for older CPU in combination of low-ram videocards, when the basic solution as a change of CPU min state from its default 5% to 50 found and works ok. However it’s a handmade one done beyond m$!

      Anyhow here is the thread dedicated to this particular issue:

      https://www.sevenforums.com/general-discussion/414573-help-needed-win7-dwm-exe-issues-upon-install-any-m-rollup-2018-a-4.html

      well, could anybody here link this stuff to some m$ wiseguy if any directly?

      thanks.

    • #327785 Reply

      abbodi86
      AskWoody_MVP

      https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus

      They updated the schedule

      Standalone security update in March for Windows 7
      the enforcement of SHA-2 code signing for Windows Update will begin in July

      1 user thanked author for this post.
      • #327787 Reply

        woody
        Da Boss

        It took ’em a while, didn’t it….

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: A “critical” Win7/Server 2008 patch coming in February/March really IS critical

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: