Microsoft announced this week that it is removing all Windows downloads from the Microsoft Download Center that are cryptographically signed using SHA-1 certificates on August 3rd, 2020. The SHA-1 algorithm was frequently used to code-sign executables and TLS and SSL certificates used on web domains to authenticate a publisher’s legitimacy.
Security analysts released a report in 2015, describing how SHA-1 is exposed to collision attacks due to which, attackers could create copies of digital certificates to imitate a company or another website. These copies can then be employed in phishing attacks, to spoof companies, or in man-in-the-middle attacks to listen in on encrypted network sessions. Due to the glitches with SHA-1 certificates, Microsoft and other creators have been moving away from SHA-1 certificates and requiring SHA-2 to be utilized to install Windows updates.
Microsoft stated in a new support bulletin issued yesterday, that they are retiring all Windows content signed with the Secure Hash Algorithm 1 (SHA-1) from the Microsoft Download Center to upsurge security.
“To support developing industry security standards, and continue to keep you protected and productive, Microsoft will leave content that is Windows-signed for Secure Hash Algorithm 1 (SHA-1) from the Microsoft Download Center on August 3, 2020. This is the next step in our constant efforts to approve Secure Hash Algorithm 2 (SHA-2), which better meets modern security requirements and offers added protections from common attack vectors.”
“SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 hashing algorithm in digital certificates could allow a criminal to spoof content, execute phishing attacks, or perform man-in-the-middle attacks”. “Microsoft no longer uses SHA-1 to verify Windows operating system updates due to security concerns related with the algorithm, and has provided the suitable updates to move customers to SHA-2 as earlier announced. Accordingly, beginning in August 2019, devices without SHA-2 support have not received Windows updates.
Even though Microsoft only supports SHA-2 signed content for official content, Windows executables signed with SHA-1 can still run in the operating system. If there are older SHA-1 signed files on the Microsoft Download Center that you still routinely use, before Microsoft removes them on August 3, you should download them.