Microsoft delays Windows 7's update-signing deadline to July

From ComputerWorld: Microsoft has revised its schedule to dump support for an outdated cryptographic hash standard by postponing the deadline for Windows 7.

Microsoft, like other software vendors, digitally "signs" updates before they are distributed via the Internet. SHA-1 (Secure Hash Algorithm 1), which debuted in 1995, was declared insecure a decade later, but it was retained for backward-compatibility reasons, primarily for Windows 7. Microsoft wants to ditch SHA-1 and rely only on the more-secure SHA-2 (Secure Hash Algorithm 2).

Late last year, Microsoft said that it would update Windows 7 and Windows Server 2008 R2 SP1 (Service Pack 1) this month with support for SHA-2. Systems running those operating systems would not receive the usual monthly security updates after April's collection, slated for release April 9, Microsoft promised at the time.

The update-or-die demand has now been pushed to July.

"Updates for legacy Windows versions will require that SHA-2 code signing support be installed" by July 16, stated a support document revised on Feb. 15. "The support [for SHA-2] released in March and April will be required in order to continue to receive updates on these versions of Windows." By "legacy," Microsoft meant Windows 7, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.

View: Article @ Source Site