Microsoft Security Advisory: Update for deprecation of MD5 hashing algorithm for Microsoft root certificate program: August 13, 2013

Article translations Article translations
Article ID: 2862973 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, go to the following Microsoft website:
http://technet.microsoft.com/security/advisory/2862973
Note This security update does not include support for Windows 8 Embedded. An update that includes support for Windows 8 Embedded will be released at a later date.

More information

  • The referenced change for February 2014 that is discussed in Advisory 2862973 applies only to certificates that are used for the following:
    • server authentication
    • code signing
    • time stamping
  • Other certificate usages of the MD5 signature hash algorithm will not be blocked.
  • In regards to code signing, we will allow signed binaries that were signed before March 2009 to continue to work, even if the signing cert used MD5 signature hash algorithm.
  • For time stamp certificates, we will allow the following time stamp certificates to continue to work. (The first long number is the SHA-2 thumbprint and the second is the common name.)
    • 01A8F438E1A14A904BA530942BEDBD94708CA654B8DF3C4585F17B60DA6690D1 VeriSign Time Stamping Service
    • 8421A0182C854C1F4266C95FC8302E217A14C7797FE41F2A87CA6B2734C43F1D VeriSign Time Stamping Service CA SW1
    • 1AD335187A1DC540738FB2EA82B7366678C2EEDCDAE75FEADD6ECD89779CB983 VeriSign Time Stamping Service
    • 4B480E8EE1B8DFF231005E9DC5D8267227684D07A38BA6FECDB288DE53FB0A3E NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
  • For code signing CA certificates, we will allow the following certificates to be grandfathered in (and to continue to work):
    • E059080EF4409BC0D96FBCBDDEEE6C0AFBE871AD3D68BBA6A743C64631F599C9 Microsoft Mobile Device Privileged Component PCA
    • 26ED148B33F377BA01B68A9A97FEB2391FBED7D51E3F6EB83BEBC2FBA90920B1 GeoTrust True Credentials CA 2

Prerequisites

You must have update 2862966 installed before you can install this security update. Update 2862966 update contains associated framework changes to Windows. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2862966 An update is available that improves management of weak certificate cryptographic algorithms in Windows

Known issues that affect this security update

  • On affected releases of Microsoft Windows, security update 2862973 requires that certificates no longer use the MD5 hashing algorithm. Microsoft products or third-party products that call into the CertGetCertificateChain function will no longer trust certificates that have MD5 hashes. This restriction is limited to certificates that are issued under the roots in the Microsoft root certificate program. The restriction does not apply to enterprise certificates. Although this restriction is limited, we recommend that all customers evaluate their private PKI environments, and that they re-issue any certificates that utilize the MD5 hashing algorithm.

    The CertGetCertificateChain function builds a certificate chain context that starts from the end certificate and returns to a trusted root certificate, if it is possible. When the chain is validated, every certificate in the chain, excluding the root certificate’s self-signed signature, is inspected to make sure that it does not contain MD5 hashes. If any certificate in the chain has an MD5 hash, the end certificate will not be trusted.

File hash information

Collapse this imageExpand this image
assets folding start collapsed
Collapse this tableExpand this table
File nameSHA1 hashSHA256 hash
Windows6.0-KB2862973-ia64.msuB521573F5045E8A1D19CFCC7273122568DBCA434DB00A3E7A67DB838FE6E61EE746DDA729B2235CB90B62D36A5ABC9BF5255D716
Windows6.0-KB2862973-x64.msu2A4FE00A50DF3D70074E17EA8212AA2B9D4727DAD7ADDA0ADDBEBF5B03469946D515F6A4EC71971A49C8F77EC3C6E438268F0C27
Windows6.0-KB2862973-x86.msuBA2946E25441CE7C9E2ED2B292B3FE627B04A79C24EFB0F868669F0DB722F34CC4CD51211F2901A6A88A83C6A2FAE69C22024413
Windows6.1-KB2862973-ia64.msu2CAFE9386F8857F6BAA417D94902ECC74771764BC4CE996A275F28AAD75BBD76B6D83E701DC0634A49DCACA26D2C25DB12E79737
Windows6.1-KB2862973-x64.msu5D276C1167C59328EF7EE6BA40399F1B8529BB719F183458A412379488447D71D63634478C79798B0575C72E015C7072BC6AAC67
Windows6.1-KB2862973-x86.msuC3240A0943B0026F9AD62BC1C1AAAAC05C111B4A8D39489686749EA827C68F84BAF467ED8C11A66B408B45A7628C691BC9E06A5D
Windows8-RT-KB2862973-x64.msu4400638277AA1F0D40589DB95A879279F70946AE2319A3A09BE726E0EAC2893E17580FAE69F3B44F98A3E121FEAAFCCE7438AA0D
Windows8-RT-KB2862973-x86.msuE6530FACF4CC4078C0096839F61EBC444A17158486A32F6E9A00042C6AEB86574A2D970BDE46E041C603AB8E8BA281B680468E1C
Collapse this imageExpand this image
assets folding end collapsed

Resolution

The following files are available for download from the Microsoft Download Center.

For all supported x86-based versions of Windows Vista

Collapse this imageExpand this image
Download
Download the package now.

For all supported x64-based versions of Windows Vista

Collapse this imageExpand this image
Download
Download the package now.

For all supported x86-based versions Windows Server 2008

Collapse this imageExpand this image
Download
Download the package now.

For all supported x64-based versions of Windows Server 2008

Collapse this imageExpand this image
Download
Download the package now.

For all supported IA-64-based versions of Windows Server 2008

Collapse this imageExpand this image
Download
Download the package now.

For all supported x86-based versions of Windows 7

Collapse this imageExpand this image
Download
Download the package now.

For all supported x64-based versions of Windows 7

Collapse this imageExpand this image
Download
Download the package now.

For all supported x86-based versions of Windows Embedded Standard 7

Collapse this imageExpand this image
Download
Download the package now.

For all supported versions of Windows Embedded Standard 7 for x64-based Systems

Collapse this imageExpand this image
Download
Download the package now.

For all supported x64-based versions of Windows Server 2008 R2

Collapse this imageExpand this image
Download
Download the package now.

For all supported IA-64-based versions of Windows Server 2008 R2

Collapse this imageExpand this image
Download
Download the package now.

For all supported x86-based versions of Windows 8

Collapse this imageExpand this image
Download
Download the package now.

For all supported x64-based versions of Windows 8

Collapse this imageExpand this image
Download
Download the package now.

For all supported x64-based versions of Windows Server 2012

Collapse this imageExpand this image
Download
Download the package now.

Release Date: August 13, 2013

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Properties

Article ID: 2862973 - Last Review: February 19, 2014 - Revision: 7.0
Applies to
  • Windows 8
  • Windows 8 Enterprise
  • Windows 8 Pro
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Essentials
  • Windows Server 2012 Foundation
  • Windows Server 2012 Standard
  • Windows 7 Service Pack 1, when used with:
    • Windows 7 Enterprise
    • Windows 7 Professional
    • Windows 7 Ultimate
    • Windows 7 Home Premium
    • Windows 7 Home Basic
  • Windows Server 2008 R2 Service Pack 1, when used with:
    • Windows Server 2008 R2 Standard
    • Windows Server 2008 R2 Enterprise
    • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 Service Pack 2, when used with:
    • Windows Server 2008 for Itanium-Based Systems
    • Windows Server 2008 Datacenter
    • Windows Server 2008 Enterprise
    • Windows Server 2008 Standard
    • Windows Web Server 2008
  • Windows Vista Service Pack 2, when used with:
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
Keywords: 
kbexpertiseinter kbinfo kbsecadvisory kbsecurity kbsecvulnerability KB2862973

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com