Microsoft Security Advisory: Update for deprecation of MD5 hashing algorithm for Microsoft root certificate program: August 13, 2013

INTRODUCTION

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, go to the following Microsoft website: Note This security update does not include support for Windows 8 Embedded. An update that includes support for Windows 8 Embedded will be released at a later date.

More Information

  • The referenced change for February 2014 that is discussed in Advisory 2862973 applies only to certificates that are used for the following:
    • server authentication
    • code signing
    • time stamping
  • Other certificate usages of the MD5 signature hash algorithm will not be blocked.
  • In regards to code signing, we will allow signed binaries that were signed before March 2009 to continue to work, even if the signing cert used MD5 signature hash algorithm.
  • For time stamp certificates, we will allow the following time stamp certificates to continue to work. (The first long number is the SHA-2 thumbprint and the second is the common name.)
    • 01A8F438E1A14A904BA530942BEDBD94708CA654B8DF3C4585F17B60DA6690D1 VeriSign Time Stamping Service
    • 8421A0182C854C1F4266C95FC8302E217A14C7797FE41F2A87CA6B2734C43F1D VeriSign Time Stamping Service CA SW1
    • 1AD335187A1DC540738FB2EA82B7366678C2EEDCDAE75FEADD6ECD89779CB983 VeriSign Time Stamping Service
    • 4B480E8EE1B8DFF231005E9DC5D8267227684D07A38BA6FECDB288DE53FB0A3E NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
  • For code signing CA certificates, we will allow the following certificates to be grandfathered in (and to continue to work):
    • E059080EF4409BC0D96FBCBDDEEE6C0AFBE871AD3D68BBA6A743C64631F599C9 Microsoft Mobile Device Privileged Component PCA
    • 26ED148B33F377BA01B68A9A97FEB2391FBED7D51E3F6EB83BEBC2FBA90920B1 GeoTrust True Credentials CA 2

Prerequisites

You must have update 2862966 installed before you can install this security update. Update 2862966 update contains associated framework changes to Windows. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2862966 An update is available that improves management of weak certificate cryptographic algorithms in Windows

Known issues that affect this security update

  • On affected releases of Microsoft Windows, security update 2862973 requires that certificates no longer use the MD5 hashing algorithm. Microsoft products or third-party products that call into the CertGetCertificateChain function will no longer trust certificates that have MD5 hashes. This restriction is limited to certificates that are issued under the roots in the Microsoft root certificate program. The restriction does not apply to enterprise certificates. Although this restriction is limited, we recommend that all customers evaluate their private PKI environments, and that they re-issue any certificates that utilize the MD5 hashing algorithm.

    The CertGetCertificateChain function builds a certificate chain context that starts from the end certificate and returns to a trusted root certificate, if it is possible. When the chain is validated, every certificate in the chain, excluding the root certificate’s self-signed signature, is inspected to make sure that it does not contain MD5 hashes. If any certificate in the chain has an MD5 hash, the end certificate will not be trusted.

Resolution

The following files are available for download from the Microsoft Download Center.

For all supported x86-based versions of Windows Vista

Download Download the package now.

For all supported x64-based versions of Windows Vista

Download Download the package now.

For all supported x86-based versions Windows Server 2008

Download Download the package now.

For all supported x64-based versions of Windows Server 2008

Download Download the package now.

For all supported IA-64-based versions of Windows Server 2008

Download Download the package now.

For all supported x86-based versions of Windows 7

Download Download the package now.

For all supported x64-based versions of Windows 7

Download Download the package now.

For all supported x86-based versions of Windows Embedded Standard 7

Download Download the package now.

For all supported versions of Windows Embedded Standard 7 for x64-based Systems

Download Download the package now.

For all supported x64-based versions of Windows Server 2008 R2

Download Download the package now.

For all supported IA-64-based versions of Windows Server 2008 R2

Download Download the package now.

For all supported x86-based versions of Windows 8

Download Download the package now.

For all supported x64-based versions of Windows 8

Download Download the package now.

For all supported x64-based versions of Windows Server 2012

Download Download the package now.

Release Date: August 13, 2013

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
File hash information
Properties

Article ID: 2862973 - Last Review: Jun 10, 2014 - Revision: 1

Windows 8, Windows 8 Enterprise, Windows 8 Pro, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows 7 Service Pack 1, Windows 7 Enterprise, Windows 7 Professional, Windows 7 Ultimate, Windows 7 Home Premium, Windows 7 Home Basic, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 Service Pack 2, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Web Server 2008, Windows Vista Service Pack 2, Windows Vista Business, Windows Vista Enterprise, Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Starter, Windows Vista Ultimate, Windows Vista Enterprise 64-bit Edition, Windows Vista Home Basic 64-bit Edition, Windows Vista Home Premium 64-bit Edition, Windows Vista Ultimate 64-bit Edition, Windows Vista Business 64-bit Edition

Feedback