Show vulnerabilities with patch / with exploit
30 July 2020

Microsoft will remove all Windows downloads signed with SHA-1


Microsoft will remove all Windows downloads signed with SHA-1

All file downloads signed with the Secure Hash Algorithm 1 (SHA-1) are considered insecure and will be removed from Microsoft Download Center on August 3, 2020.

The SHA-1 algorithm was commonly used to code-sign executables and TLS and SSL certificates used on web sites to authenticate a publisher's legitimacy. A theoretical description of cracking SHA-1 hash functions was published back in 2005, but in practice the attack was only carried out 12 years later. In 2017, scientists for the first time managed to create two files with the same SHA-1 hash. The attack was dubbed SHAttered.

Due to issues with SHA-1 certificates, Microsoft and other developers have moved away from SHA-1 and now require SHA-2 to be used to install Windows updates.

“To support evolving industry security standards, and continue to keep you protected and productive, Microsoft will retire content that is Windows-signed for Secure Hash Algorithm 1 (SHA-1) from the Microsoft Download Center on August 3, 2020. This is the next step in our continued efforts to adopt Secure Hash Algorithm 2 (SHA-2), which better meets modern security requirements and offers added protections from common attack vectors”, — the company said.

According to Microsoft, SHA-1 is outdated, and many in the information security community consider it insecure. Using the SHA-1 in digital certificates can allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Back to the list

Latest Posts

Vulnerabilities in Gmail and iCloud allow hiding the sender

Vulnerabilities in Gmail and iCloud allow hiding the sender

Manipulating email header fields allows for various types of attacks to deceive the addressee.
6 August 2020
Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020
Hacker published passwords for over 900 corporate VPN servers

Hacker published passwords for over 900 corporate VPN servers

The list was published on a Russian-speaking hacker forum frequented by different ransomware operators.
5 August 2020