Microsoft began an aggressive six-month campaign in March of this year to switch the digital signature on all operating system and product updates from using Secure Hash Algorithm 1 (SHA-1) to SHA-2. This required installing the current SHA-2 algorithms in all the operating systems so they could read and deploy the newly signed patches.
Microsoft took a phased approach using both dual-signed patches in conjunction with the SHA-2 operating system upgrades where needed. The campaign should come to completion next week with operating system releases for Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 signed only with SHA-2. SHA-1 was an excellent algorithm when originally released but the latest advances in high speed computing have put its security at risk, so Microsoft rightfully moved to the latest security standard in SHA-2.
The campaign was progressing smoothly until last month when the Windows 7 and Server 2008 patches switched from dual to SHA-2 signed. A few third-party products blocked or otherwise interfered with the operating systems’ update. While not a Microsoft issue, they temporarily changed the detection logic to prevent updates on systems running Windows 7/Server 2008 with Symantec Endpoint Protection.
Once Symantec corrected the issue and pushed out a new update, Microsoft changed the detection logic back to its original form. We don’t anticipate any problems with this final move next week on the remaining operating systems, but you should always test your updates on non-production systems first to ensure they work properly.
Looking ahead in the forecast, you should be planning for a few end-of-life situations. Microsoft is now only four months away from the end-of-life of for Windows 7 and Server 2008/2008 R2. If you are not actively in migration to a newer workstation or server operating system, you should be budgeting for extended support.
Microsoft has both cloud and on-premise options to consider. Windows 10 also continues its service model with the Enterprise and Education Versions of 1703 reaching end-of-support on October 8. The Home, Professional, and Professional for Workstations will do the same for Version 1803 on November 12. And finally, Microsoft updated their blog to emphasize Adobe Flash support is still scheduled to end in December 2020.
September 2019 Patch Tuesday forecast
- Microsoft will provide the usual round of operating system and Office updates. Expect a SharePoint update which usually ties in closely with the Office changes.
- .NET has been released almost every other month so far this year so there is a strong possibility of a release this month.
- Mozilla released Firefox this week with new major versions across the board. They could release minor versions next week with security fixes, but no releases are currently scheduled.
- Google Chrome 77 is scheduled to be released on Tuesday according to their calendar, but they have been a little volatile of late.
- Adobe Flash has come out with non-security updates the past two months which is highly unusual, so who knows whether we will see more updates next week.
- Adobe Acrobat/Reader generally releases every three months. They released in August, so don’t expect one this month, but keep your eyes peeled for pre-notifications.