Microsoft Responds as Hackers Target SHA-1 Vulnerability

Heads up: Edge and Internet Explorer users may have noticed a slight uptick in the number of downloads dubbed untrustworthy by those browsers so far this year. The reason? Effective January 1, Microsoft changed Windows’ default settings so many files downloaded from the Internet bearing an SHA-1 code signature are viewed as suspicious.

Late last year, there were rumblings that SHA-1 encryption was on the fast track to being cracked. Should that have happened, it would have left anything protected by that coding open to being accessed and manipulated by hackers and cyber crooks. While the use of SHA-1 has long been looked at as the opposite of a “best practice,” these threats spurred Microsoft and others to double down on efforts to get users to modernize wherever possible. This includes updating to modern browsers designed to work with new, more effective coding, such as SHA-256 or greater. Also, it means migrating any internal certificate infrastructures away from SHA-1 and over to something more secure.

As far as scope goes, this change will only impact new files. Any files timestamped and released before that January 1 date will continue to be marked as trustworthy by browsers. In addition, signatures verified by Code Integrity are immune from this modification.

It’s important to note that users will still be able to download and access any of the files thought to be untrustworthy. The purpose of this change is to alert them about the increased risks which may lie ahead. If they so choose, customers can override or alter the settings imposed by this change to better suit their needs.

This is the case right now, but long term is a different story. Come January 1, 2017, Windows will automatically block SHA-1 signatures. There is a possibility that end date will come much sooner, however. Microsoft and other browser makers have considered moving it all the way up to June 2016.

The path to a safer, more modern IT environment

Whatever the end date, it’s critical to begin the process of weeding out any legacy systems likely to be affected by this change as soon as possible. That way, when the time does come, business can carry on as per usual – without any heightened fears of attacks.

The Arraya Solutions team is well-versed in identifying and securing weak points in any IT infrastructure. Our team will work with onsite IT to plan out and execute the necessary changes. We can help businesses make the jump to modern browsers such as IE11 or Edge, or leave behind vulnerable and outdated tools such as Windows XP or 2003. If customers issue their own, SHA-1-based certificates for internal use, our team stands ready to assist them with upgrading their internal PKI to use a SHA-256 or greater.

If you’re ready to start a conversation, our team can be reached at http://www.arrayasolutions.com/contact-us/. We’re also available to answer any of your SHA-1 or general IT infrastructure questions through our social media accounts. Be sure to reach out to us on Twitter @ArrayaSolutions, on LinkedIn, or on Facebook.