Microsoft Security Advisory: Update for deprecation of MD5 hashing algorithm for Microsoft root certificate program: August 13, 2013

Applies to: Windows 8Windows 8 EnterpriseWindows 8 Pro More

INTRODUCTION


Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, go to the following Microsoft website: Note This security update does not include support for Windows 8 Embedded. An update that includes support for Windows 8 Embedded will be released at a later date.

More Information


  • The referenced change for February 2014 that is discussed in Advisory 2862973 applies only to certificates that are used for the following:
    • server authentication
    • code signing
    • time stamping
  • Other certificate usages of the MD5 signature hash algorithm will not be blocked.
  • In regards to code signing, we will allow signed binaries that were signed before March 2009 to continue to work, even if the signing cert used MD5 signature hash algorithm.
  • For time stamp certificates, we will allow the following time stamp certificates to continue to work. (The first long number is the SHA-2 thumbprint and the second is the common name.)
    • 01A8F438E1A14A904BA530942BEDBD94708CA654B8DF3C4585F17B60DA6690D1 VeriSign Time Stamping Service
    • 8421A0182C854C1F4266C95FC8302E217A14C7797FE41F2A87CA6B2734C43F1D VeriSign Time Stamping Service CA SW1
    • 1AD335187A1DC540738FB2EA82B7366678C2EEDCDAE75FEADD6ECD89779CB983 VeriSign Time Stamping Service
    • 4B480E8EE1B8DFF231005E9DC5D8267227684D07A38BA6FECDB288DE53FB0A3E NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
  • For code signing CA certificates, we will allow the following certificates to be grandfathered in (and to continue to work):
    • E059080EF4409BC0D96FBCBDDEEE6C0AFBE871AD3D68BBA6A743C64631F599C9 Microsoft Mobile Device Privileged Component PCA
    • 26ED148B33F377BA01B68A9A97FEB2391FBED7D51E3F6EB83BEBC2FBA90920B1 GeoTrust True Credentials CA 2

Prerequisites

You must have update 2862966 installed before you can install this security update. Update 2862966 update contains associated framework changes to Windows. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2862966 An update is available that improves management of weak certificate cryptographic algorithms in Windows

Known issues that affect this security update

  • On affected releases of Microsoft Windows, security update 2862973 requires that certificates no longer use the MD5 hashing algorithm. Microsoft products or third-party products that call into the CertGetCertificateChain function will no longer trust certificates that have MD5 hashes. This restriction is limited to certificates that are issued under the roots in the Microsoft root certificate program. The restriction does not apply to enterprise certificates. Although this restriction is limited, we recommend that all customers evaluate their private PKI environments, and that they re-issue any certificates that utilize the MD5 hashing algorithm.

    The CertGetCertificateChain function builds a certificate chain context that starts from the end certificate and returns to a trusted root certificate, if it is possible. When the chain is validated, every certificate in the chain, excluding the root certificate’s self-signed signature, is inspected to make sure that it does not contain MD5 hashes. If any certificate in the chain has an MD5 hash, the end certificate will not be trusted.

Resolution


The following files are available for download from the Microsoft Download Center.

For all supported x86-based versions of Windows Vista

Download Download the package now.

For all supported x64-based versions of Windows Vista

Download Download the package now.

For all supported x86-based versions Windows Server 2008

Download Download the package now.

For all supported x64-based versions of Windows Server 2008

Download Download the package now.

For all supported IA-64-based versions of Windows Server 2008

Download Download the package now.

For all supported x86-based versions of Windows 7

Download Download the package now.

For all supported x64-based versions of Windows 7

Download Download the package now.

For all supported x86-based versions of Windows Embedded Standard 7

Download Download the package now.

For all supported versions of Windows Embedded Standard 7 for x64-based Systems

Download Download the package now.

For all supported x64-based versions of Windows Server 2008 R2

Download Download the package now.

For all supported IA-64-based versions of Windows Server 2008 R2

Download Download the package now.

For all supported x86-based versions of Windows 8

Download Download the package now.

For all supported x64-based versions of Windows 8

Download Download the package now.

For all supported x64-based versions of Windows Server 2012

Download Download the package now.

Release Date: August 13, 2013

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.