Skip to content

Search the site

.NET frameworks using insecure SHA-1 crypto to be retired next year.

"Should be uneventful", says Redmond...

Microsoft is retiring several versions of its .NET framework -- a software development framework for building and running applications on Windows -- owing to their use of the vulnerable SHA-1 cryptographic algorithm.

.NET 4.5.2, 4.6, and 4.6.1 will reach end of support on April 26, 2022, Microsoft confirmed this week. Users will need to updated their deployed runtime to at least .NET 4.6.2 before that date to continue getting updates.

Mercifully, applications will not need to be recompiled.

It's not just .NET, of course getting switched to SHA-2. In less than two weeks -- from May 9, 2021 --  all major Microsoft processes and services, including TLS certificates, code signing and file hashing, will use the SHA-2 algorithm exclusively. (Windows updates have only been signed with SHA-2 since 2019 and Redmond retired all Windows-signed SHA-1 content from the Microsoft Download Center on August 3, 2020.)

SHA-1 has been breakable for some time, with "concrete risk of abuse by a well-motivated adversary" becoming more likely as of early 2020, when a proof-of-concept attack that “fully and practically” breaks the encryption was demonstrated by researchers Gaëtan Leurent and Thomas Peyrin.

".NET Framework 4.6.2 shipped nearly 5 years ago, and .NET Framework 4.8 shipped 2 years ago,~" Microsoft said in an April 25 blog, "so both versions are solid, stable runtimes for your applications.

".NET Framework 4.6.2 and 4.8 are highly compatible in-place updates (replacements) for .NET 4.5.2, 4.6, and 4.6.1 and broadly deployed to hundreds of millions of computers via Windows Update (WU). If your computer is configured to take the latest updates from WU your application is likely already running on .NET Framework 4.8."

Redmond added in a separate post that "we expect the SHA-1 certificate expiration to be uneventful. All major applications and services have been tested, and we have conducted a broad analysis of potential issues."

That said, bugs may rear their heads and users trying to install or use applications or drivers that are only SHA-1 signed are likely to start seeing a note saying "Windows can’t verify the publisher of this driver software".

To check your software is SHA-2 signed:

  1. Find the executable (EXE) file in File Explorer for the applications that you want to examine.
  2. Right-click the EXE file and select Properties.
  3. Select the Digital Signatures tab in the Properties dialog box.
  4. If your application is SHA-2 signed, you will see SHA256 in the Digest algorithm column in the Signature list section.

See also: Several unpatched and exploitable vulns in Exim — known since October 2020 -- are not getting patched until May 2021...