Microsoft has reminded customers that multiple .NET Framework versions signed using the insecure Secure Hash Algorithm 1 (SHA-1) will reach their end of life this month.
The .NET Framework is a free software development framework designed to assist developers in building .NET applications, websites, and services, and users run them on many operating systems (including Windows) with the help of different implementations of .NET.
“On April 26, 2022, the .NET Framework 4.5.2, 4.6, and 4.6.1 will reach end of support, and after this date, Microsoft will no longer provide updates including security fixes and technical support for these versions,” Microsoft said in a Windows message center update.
“There is no change to the support timelines for any other .NET Framework version. If you are using .NET Framework 4.5.2, 4.6, or 4.6.1, you will need to upgrade to a later version to stay supported.”
As already revealed as part of the initial announcement, there is an exception to this, however: the .NET Framework 4.6 version shipping with Windows 10 Enterprise LTSC 2015 will still be supported until October 2025, when the OS will reach its end of life.
Microsoft advises .NET developers to migrate their apps to at least .NET Framework 4.6.2 or later before April 26, 2022, to keep receiving technical support and security updates.
.NET Framework 4.6.2 (shipped almost five years ago) and .NET Framework 4.8 (shipped eight years ago) are both compatible in-place replacements and stable runtimes already “broadly deployed to hundreds of millions of computers via Windows Update (WU).”
Retired due to SHA-2 signing switch
A report published in 2015 on how SHA-1’s vulnerability collision attacks could allow hackers to forge digital certificates to impersonate companies or websites, add legitimacy to phishing messages, or launch man-in-the-middle attacks to snoop on encrypted network traffic.
Microsoft is retiring these .NET Framework versions after switching to SHA-2 digital signing from using the legacy SHA-1 cryptographic hashing algorithm, which is now insecure.
Since May 9, 2021, all major Microsoft services and processes (including code signing, file hashing, and TLS certificates) have been using the SHA-2 algorithm exclusively.
Microsoft has also retired all Windows-signed SHA-1 content from the Microsoft Download Center almost two years ago, in August 2020, after switching to the SHA-2 algorithm for signing Windows updates one year before.
Despite SHA-2 being used for signing binaries, it’s important to note that Windows executables signed with manually installed enterprise or self-signed SHA-1 certificates will still be able to run.