Microsoft will stop releasing updates via SHA-1 code signing
Microsoft is phasing out use of the Secure Hash Algorithm 1 code-signing encryption to deliver Windows OS updates. Customers running legacy OS versions will be required to have SHA-2 code-signing support installed on their devices by July 2019. Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, and some older versions of Windows Server Update Services all uses SHA-1 encryption and should be updated by July.
Microsoft will use both the SHA-1 and SHA-2 hash algorithms to authenticate its updates and prevent man-in-the-middle tampering for now. This is because the newer systems supports only SHA-2, and older ones only SHA-1. SHA-2 upgrades will roll out to the affected products beginning March 12. Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively after July due to weaknesses in the SHA-1 algorithm and to align to industry standards.
NIST-developed SHA-1 remains a widely used part of code-signing, but its effectiveness has declined as more attacks that break it have popped up. Microsoft has cited the existence of known collision attacks against SHA-1 as the main reason for advising against its use. Collisions occur when an attacker is able to generate a certificate with the same signature as the original certificate.
Microsoft has been actively deprecating the SHA-1 and older hash algorithms like RC4 since 2013. In 2014, Microsoft made SHA-2 available for Windows 7 and Windows Server 2008 R2, bringing those older versions of Windows in line with Windows 8 and Windows Server 2012 and 2012 R2. Microsoft began steering developers away from SHA-1 in 2016, when it announced that SHA-1 would no longer be allowed for code-signing and certificates. In 2017, it discontinued support in its Internet Explorer and Edge browsers.
Others, including Facebook, Google and Mozilla, are doing the same. These changes are part of a broader shift in how browsers and web sites encrypt traffic to protect the contents of online communications. In 2015, Facebook announced that apps that don't support SHA-2 will no longer connect to it's network. In a security blog in 2016, Google announced that Chrome 56 will no longer support SHA-1. Mozilla also announced back in 2016, it's intention to phase out support for SHA-1.