Microsoft Security Advisory (2862973)
Update for Deprecation of MD5 Hashing Algorithm for Microsoft Root Certificate Program
Published: | Updated:
Microsoft is announcing the availability of an update for supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that restricts the use of certificates with MD5 hashes. This restriction is limited to certificates issued under roots in the Microsoft root certificate program. Usage of MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
The update is available on the Download Center as well as the Microsoft Update Catalog for all affected releases of Microsoft Windows except for Windows RT (no update for Windows RT is available at this time). In addition, Microsoft is planning to release this update through Microsoft Update on February 11, 2014 after customers have a chance to assess the impact of this update and take necessary actions in their environments.
Recommendation. Microsoft recommends that customers download, test, and apply the update at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information.
Note that the 2862966 update is a prerequisite and must be applied before this update can be installed. The 2862966 update contains associated framework changes to Microsoft Windows. For more information, see Microsoft Knowledge Base Article 2862966.
Known Issues. Microsoft Knowledge Base Article 2862973 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues.
For more information about this issue, see the following references:
|Microsoft Knowledge Base Article||2862973|
This advisory discusses the following software.
|Windows Vista Service Pack 2|
|Windows Vista x64 Edition Service Pack 2|
|Windows Server 2008 for 32-bit Systems Service Pack 2|
|Windows Server 2008 for x64-based Systems Service Pack 2|
|Windows Server 2008 for Itanium-based Systems Service Pack 2|
|Windows 7 for 32-bit Systems Service Pack 1|
|Windows 7 for x64-based Systems Service Pack 1|
|Windows Server 2008 R2 for x64-based Systems Service Pack 1|
|Windows Server 2008 R2 for Itanium-based Systems Service Pack 1|
|Windows 8 for 32-bit Systems|
|Windows 8 for 64-bit Systems|
|Windows Server 2012|
|Server Core installation option|
|Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)|
|Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)|
|Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)|
|Windows Server 2012 (Server Core installation)|
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (August 13, 2013): Advisory published.
- V1.1 (August 27, 2013): Revised advisory to announce that the 2862973 update is available from the Microsoft Update Catalog.
- V1.2 (October 8, 2013): Clarified that this update does not apply to Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. However, for all applicable operating systems, Microsoft reminds customers that administrators of enterprise installations should assess their environments for the existence of certificates with MD5 hashes and re-issue these certificates prior to broader distribution of the update, which Microsoft plans to release in February 2014.