ADV180005 — Document signing deprecation in XPS Viewer
Executive Summary
Microsoft has deprecated the Document Signing functionality in XPS Viewer. This functionality relied upon the SHA-1 algorithm and is part of our overall effort to remove this algorithm from our products. This change impacts XPS Viewer on all supported versions of Windows. 1. I need to use this deprecated functionality. Is there a way to enable it? Yes. Please create the following registry entry: [HKEY_CURRENT_USER\Software\Microsoft\XPSViewer] "EnableDigitalSignatures"=dword:00000001 2. What risks am I accepting by using SHA-1 based document signing? SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 hashing algorithm in document signing could allow an attacker to spoof content, perform phishing attacks, or otherwise manipulate content of a document. Microsoft, in collaboration with other members of the industry, is working to phase out the SHA-1 algorithm and to warn consumers of the possible risk when they encounter websites using the SHA-1 algorithm.
Overview
EPSS Score
No EPSS score available for this CVE.
View on FIRST.orgAffected Products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| Windows 10 for 32-bit Systems | 4074596 (Security Update) |
Unknown | Defense in Depth | Yes |
| Windows 10 for x64-based Systems | 4074596 (Security Update) |
Unknown | Defense in Depth | Yes |
| Windows 10 Version 1511 for 32-bit Systems | 4074591 (Security Update) |
Unknown | Defense in Depth | Yes |
| Windows 10 Version 1511 for x64-based Systems | 4074591 (Security Update) |
Unknown | Defense in Depth | Yes |
| Windows 10 Version 1607 for 32-bit Systems | 4074590 (Security Update) |
Unknown | Defense in Depth | Yes |
| Windows 10 Version 1607 for x64-based Systems | 4074590 (Security Update) |
Unknown | Defense in Depth | Yes |
| Windows 10 Version 1703 for 32-bit Systems | 4074592 (Security Update) |
Unknown | Defense in Depth | Yes |
| Windows 10 Version 1703 for x64-based Systems | 4074592 (Security Update) |
Unknown | Defense in Depth | Yes |
| Windows 10 Version 1709 for 32-bit Systems | 4074588 (Security Update) |
Unknown | Defense in Depth | Yes |
| Windows 10 Version 1709 for x64-based Systems | 4074588 (Security Update) |
Unknown | Defense in Depth | Yes |
| Windows 7 for 32-bit Systems Service Pack 1 4074598 (Monthly Rollup) 4074587 (Security Only) Unknown Defense in Depth 4056894 Base: N/A Temporal: N/A Vector: N/A Yes None Windows 7 for x64-based Systems Service Pack 1 4074598 (Monthly Rollup) 4074587 (Security Only) Unknown Defense in Depth 4056894 Base: N/A Temporal: N/A Vector: N/A Yes None Windows 8.1 for 32-bit systems 4074594 (Monthly Rollup) 4074597 (Security Only) Unknown Defense in Depth 4056895 Base: N/A Temporal: N/A Vector: N/A Yes None Windows 8.1 for x64-based systems 4074594 (Monthly Rollup) 4074597 (Security Only) Unknown Defense in Depth 4056895 Base: N/A Temporal: N/A Vector: N/A Yes None Windows RT 8.1 | 4074594 (Monthly Rollup) |
Unknown | Defense in Depth | Yes |
| Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 4074598 (Monthly Rollup) 4074587 (Security Only) Unknown Defense in Depth 4056894 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2008 R2 for x64-based Systems Service Pack 1 4074598 (Monthly Rollup) 4074587 (Security Only) Unknown Defense in Depth 4056894 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4074598 (Monthly Rollup) 4074587 (Security Only) Unknown Defense in Depth 4056894 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2012 4074593 (Monthly Rollup) 4074589 (Security Only) Unknown Defense in Depth 4056896 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2012 (Server Core installation) 4074593 (Monthly Rollup) 4074589 (Security Only) Unknown Defense in Depth 4056896 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2012 R2 4074594 (Monthly Rollup) 4074597 (Security Only) Unknown Defense in Depth 4056895 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2012 R2 (Server Core installation) 4074594 (Monthly Rollup) 4074597 (Security Only) Unknown Defense in Depth 4056895 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2016 | 4074590 (Security Update) |
Unknown | Defense in Depth | Yes |
| Windows Server 2016 (Server Core installation) | 4074590 (Security Update) |
Unknown | Defense in Depth | Yes |
| Windows Server, version 1709 (Server Core Installation) | 4074588 (Security Update) |
Unknown | Defense in Depth | Yes |
Patches
| Article | Type | Restart |
|---|---|---|
4074596 |
Security Update | Yes |
4074591 |
Security Update | Yes |
4074590 |
Security Update | Yes |
4074592 |
Security Update | Yes |
4074588 |
Security Update | Yes |
4074594 |
Monthly Rollup | Yes |
Known Exploits
Acknowledgments
None