Microsoft to delete legacy updates in the great SHA-1 purge

Get ready to see this quite often.

From the article here, on August 3rd, (aka yesterday) the purge will be complete. Instead of introducing an update to verify SHA-2 into legacy systems, and re-signing old updates, instead MS has taken the path of obsolesce and pulled the downloads instead.

And we’ve been here before.

Microsoft movie maker was a popular download for Windows XP, and MS removed the download, as hosting it was apparently encouraging people to keep on using XP. Naturally this wasn’t taken as a message that people wanted this kind of product, and why fill a void when you can remove a product? So now the majority of downloads that you will find are infected, corrupted and just going to cause further problems.

And here we go again.

Office 2003 SP1 is no more

A quick search on BING for MS Office 2003 updates still shows links, but they are simply no more. The purge is in full force, and search pages haven’t caught up. And as you can see cnet is already in the top downloads, and will become the authoritative download by fiat.

Also the early .NET’s deployment packages are no longer for download, while .NET 1.1 SP1 is still online surprisingly. For reference:

$ shasum -a 512256 NDP1.1sp1-KB867460-X86.exe 
7b44095feff471dee9366a2153dfe2654d70754c21b7e5204ed950cdf4a3f15a  NDP1.1sp1-KB867460-X86.exe

For what it’s worth.

Calculating with shasum offers a few algorighims as this isn’t a simple one shot deal.

-a, --algorithm   1 (default), 224, 256, 384, 512, 512224, 512256

Naturally to add further confusion. Like everything with crypto, it’s so easy to mess it up.

$ shasum -a 1 NDP1.1sp1-KB867460-X86.exe 
74a5b25d65a70b8ecd6a9c301a0aea10d8483a23  NDP1.1sp1-KB867460-X86.exe
$ shasum -a 224 NDP1.1sp1-KB867460-X86.exe 
18507f80722780ca477d7f10528ae28dd176f8d36cbce05a50cc7be0  NDP1.1sp1-KB867460-X86.exe
$ shasum -a 256 NDP1.1sp1-KB867460-X86.exe 
2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a  NDP1.1sp1-KB867460-X86.exe
$ shasum -a 384 NDP1.1sp1-KB867460-X86.exe 
c2372c71f93b5dc2a1c21c804bc74e27d82bfa45ee50fbc9037e713c156f1c591ffbe5e87f94022157906098916403b4  NDP1.1sp1-KB867460-X86.exe
$ shasum -a 512 NDP1.1sp1-KB867460-X86.exe 
bbe643f447f49636732b12d23a052d02681ad41f6920dc1038b073fa600f7589b378ed8e7de97e811543d93ae89ce52871a85ee58aa3b6aeaddc01bc1617ad85  NDP1.1sp1-KB867460-X86.exe
$ shasum -a 512224 NDP1.1sp1-KB867460-X86.exe 
63b2ffb0c5f1cd68abafba23997482b2087d486dcf60bec6fef7446d  NDP1.1sp1-KB867460-X86.exe
$ shasum -a 512256 NDP1.1sp1-KB867460-X86.exe 
7b44095feff471dee9366a2153dfe2654d70754c21b7e5204ed950cdf4a3f15a  NDP1.1sp1-KB867460-X86.exe

Oddly enough a quick search for these checksums isn’t coming up with anything so I guess I’m first. Which of course is a further problem, is that there is no authoritative source from MS. I get the contract obsolescence thing, after-all the strongest competition to NEW MS products is OLD MS products. I still use Excel 3 & MS Word 2, despite having an Office 365 subscription, and various newer versions retail.

The sad thing is that many people will get screwed over from this action, and the only “solution” is of course move to Windows 10, embrace the new, and hope that you don’t have applications that actually require .NET 1.1 (or 1.0!).

12 thoughts on “Microsoft to delete legacy updates in the great SHA-1 purge

  1. “The sad thing is that many people will get screwed over from this action, and the only “solution” is of course move to Windows 10, embrace the new, and hope that you don’t have applications that actually require .NET 1.1 (or 1.0!).”

    Or just start backing the opensorce NT alternative: ReactOS :-).

  2. I’ve got a bunch of old Windows, .NET and Office SPs on the server at work, here are my hashes:

    “`
    16a354a2207c4c8846b617cbc78f7b7c1856340e *.NET 1.1.exe
    3dce66bae0dd71284ac7a971baed07030a186918 *dotnetfx35sp1.exe
    58da3d74db353aad03588cbb5cea8234166d8b99 *dotNetFx40_Full_x86_x64.exe
    f4fc64ebf66978ca95ebf4f5acfd0107d77c5656 *NetFx20SP1_x64.exe
    eef5a36924cdf0c02598ccf96aa4f60887a49840 *NetFx20SP1_x86.exe
    74a5b25d65a70b8ecd6a9c301a0aea10d8483a23 *NDP1.1sp1-KB867460-X86.exe
    535f57e5a8eceab18533c50c0b0e1469ed45331f *NDP1.1sp1-KB886903-X86.exe
    dbf23e456103c38626e03720df75c780d9bc48af *NDP1.1sp1-KB953297-X86.exe
    a3625c59d7a2995fb60877b5f5324892a1693b2a *.NET 2.0.exe
    2c985f3ff1fdccecf89df61918fb55eb4b12edd8 *Exchange 2003 SP2.exe
    bb8acbbea695a9579b0b4bca1629cd8a45dbec23 *Exchange 2010 SP2 x64.exe
    d939604572d4153dceed78e6b13566af215308f6 *Exchange 2010 SP3 x64.exe
    da15b2b0636cb2c9a129a23f90d352db62c059a1 *Office 2000 SP3 EN.exe
    ca3ecea811193c889477fa8e2c6c5ba3cd5f075a *Office 2000 SP3 SL.exe
    ece919c9b5cad90853261af7093a6432cddc5991 *Office 2000 SR1a EN.exe
    09e3185a3ae3d2e241d06905fb03bd06c3a43f07 *Office 2000 SR1a SL.exe
    190426eaba1ca82d40ed0e825e98b1263558ef06 *Office 2003 SP2 EN.exe
    9b9548a37b471c5dd1368d5b6469ba37bb4b09a7 *Office 2003 SP2 SL.exe
    81e8e5b08aa073287ddf5d46b3484e3626659696 *Office 2003 SP3 EN.exe
    70dacb63a7fd6e37bf7f12ddc22479e9123dcf82 *Office 2003 SP3 SL.exe
    9f3f1fe20261d9c298aec93921c44dc9931dde88 *Office 2007 SP1 En.exe
    9e8942c3173c74371a3b84430e0cbea666edb1b4 *Office 2007 SP1 SL.exe
    d0ed0f3386d960857e76e89a094b61ceb9811753 *Office 2007 SP2 En.exe
    263a23c2367ab73767827ae72e914b342d889756 *Office 2007 SP2 Sl.exe
    69a5828265249c9de7f3503102003fe006dc162d *Office 2007 SP3 En.exe
    0a707a4962d206aade876403d60ffd70e2297e5c *Office 2007 SP3 Sl.exe
    a60e646cdd4761685232bfbabee3b14ee582500e *Office 2010 SP1 En x64.exe
    edf28f56a893d4ad92dc359cf029e0e058ea949f *Office 2010 SP1 En x86.exe
    8244c2813a882ed97ad51ed6834a2b653a39a5b6 *Office 2010 SP1 Sl x64.exe
    30a0e00c348c72e1fad4aa14578a0e6a15af7127 *Office 2010 SP1 Sl x86.exe
    3c6ba45d793bcc69dd945c29ce79573415704c75 *Office 2010 SP2 En x64.exe
    faa6e4d481e8ae534cbf47afc46c22dc4f43ee3c *Office 2010 SP2 En x86.exe
    a001581fb8ff5fd3208e5ff76534cee26ea5d4bd *Office 2010 SP2 SL x64.exe
    32d1d880fce5dd191398e9586f834abaa4f7602a *Office 2010 SP2 SL x86.exe
    9f6e7b101be5c8a25ba82ccc44ee99a37d55afdc *Office 2013 SP1 En x86.exe
    3899b0fd93bfaa21633e64cf937683077368a1e3 *Office 2013 SP1 En.exe
    f5379f3b91b90afeb4767772e95657b9c0372f1f *Office 2013 SP1 SL 32.exe
    1256c798415d9fb10cae91327cc37fd519b89656 *Office 2013 SP1 Sl.exe
    dba8a31687336fcf31570521451a4649d5ec4c07 *Office XP SP3 EN.exe
    4f915445a380d9fbff0176f0e9cb761ff33df4d6 *Office XP SP3 SL.exe
    69455885be1ae71c115c0a6a5ff072c661685a50 *SQL Server 2000 SP4 x86-KB884525.EXE
    737b01db75140dc883714ce06e64e51a37310d34 *SQL Server 2005 SP2 x86-KB921896-ENU.exe
    75deaa970beb66df7b41025f7bea9f9cc3b9bb90 *SQL Server 2008 R2 SP2 x64.exe
    fadea6d94a014b039839fecc6e6a11c20afa4fa8 *Windows 2000 SP4.exe
    f118bd276f4211929719961a2e929b620c1a2234 *Windows 2000 Update Rollup 1.EXE
    74865ef2562006e51d7f9333b4a8d45b7a749dab *windows 7 SP1 x64 KB976932.exe
    c3516bc5c9e69fee6d9ac4f981f5b95977a8a2fa *windows 7 SP1 x86 KB976932.exe
    075e5f909800a210b94033a30993c035a354aa17 *Windows NT4 SP6 (HighEncryption).exe
    da4422bfa01f7f62dd4e32f349f1a3cd8db70943 *Windows NT4 SP6-patch (HighEncryption).exe
    a99e478222824ea169ba352d50ef37ffef9189a6 *Windows NT4 SP6-patch.exe
    1a1c990bcaf9851b8d9e34d2b0cab7814834c837 *Windows NT4 SP6-SYMI (HighEncryption).exe
    8caca058c65c73865cdbc3fbee671f41af0bf894 *Windows NT4 SP6-SYMI.exe
    a6f920d4d9868cfa8a1c7697813c55d136209664 *Windows NT4 SP6.exe
    cdf6552483a5a4491baa195ca76781eeaa059091 *Windows Server 2003 SP1 x86.exe
    51e1759a1fda6cd588660324abaed59dd3bbe86b *Windows Server 2003 SP2 x86.exe
    7f8e909c52d23ac8b5dbfd73f1f12d3ee0fe794c *Windows Server 2003+XP SP2 x64.exe
    908983c5cd8c1112ee452a0a907b546cc70c9d8b *Windows Vista SP1 x64 KB936330.exe
    79f3fd5db332b4464d8ebc54da68be8effd760c4 *Windows Vista SP1 x86 KB936330.exe
    2eedca0bfa5ae8d1b0acf2117ddc4f15ac5183c9 *Windows Vista+2008 SP2 x64 KB948465.exe
    55f17352b4398ecb4f0cc20e3737631420ca1609 *Windows Vista+2008 SP2 x86 KB948465.exe
    33a8fef60d48ae1f2c4feea27111af5ceca3c4f6 *Windows XP SP2.exe
    36f97f075f2098fe5a0c239cc0b6fded88d5f8aa *Windows XP SP3 Embedded for Point of Service + Fundamentals for Legacy PCs.exe
    c81472f7eeea2eca421e116cd4c03e2300ebfde4 *Windows XP SP3.exe
    cc2acdd2ef74cbf90896322a2c3d52c8bf908e0c *WindowsXP Pre-SP3-nonIntel-KB953356-x86-ENU.exe
    “`

    • I’m not sure that the claims in that link are factually correct. I know I’ve updated these systems from the live update servers well after the dates in that post. Note that Vista is 2008, and 2008 was supported until January, so a mechanism needed to exist to make it current.

      Nonetheless, these update servers can’t run forever due to the high level theme, which is that any security protocols understood by older systems cannot hope to remain secure forever. So either the update servers are available in a very insecure form, and all new updates go through a very different more secure system, or eventually the plug gets pulled. Last year I used WSUS to build an offline store of all of the updates for these OSes so I have an update server and the update catalog in expectation that the live servers will lose compatibility soon.

  3. What is the cutoff for SHA1 vs. newer signatures? I just installed Office 2007 on a machine. Manually installed SP3 (pulled from update catalog, have it on a WSUS update DVD), and Windows Update picked up the rest of the post SP3 updates no problem. SP3 came out in 2011ish.

    • I could be wrong but I think what they’re doing is pulling SHA-1 downloads from the download center, and this announcement doesn’t affect the update catalog or Windows Update. Since WU is pulling directly from Microsoft servers, the level of security it has is more about TLS than code signing. And nobody has suggested (yet) that executing SHA-1 signed code is about to be problematic, so if there’s a way to get bits to the machine, you’re set.

      (Note for context though that there are MD5 signed binaries out there, and many builds of Windows consider it an invalid signature and scream at the user. This seems very strange considering it happily executes unsigned usermode code.)

      • Looking at the Microsoft Update catalog, there are no longer any downloads dated before May 2017. It looks like any product still under support (mainstream or extended) at that time had hashes updated, so the downloads remain. The date is awfully convenient seeing that Vista exited support in April of 2017. Oddly XP SP3 is still available.

        Windows Update didn’t pull any updates for Office 2007 until I manually updated it to SP3. WU used to pull the service pack.

        • It looks to me like in May/June 2017 they re-signed piles of things so the dates don’t reflect the real date of the update. Taking Office 2007, see how the Compatibility Pack Service Pack 1, 2, and 3 are all listed as May 2017. This even extends to Windows 2000, 7 years after it stopped being supported.

        • That’s just a problem with the non-IE version of the update catalog. (with wrong dates and such). The IE (activex) version doesn’t exhibit the problem for me. they also have messed their search engine not allowing to find drivers based on the device identificator anymore (again, only happens with the non-IE variant)

Leave a Reply