Verifying update hashes

Some of you may have noticed us improving our defense-in-depth practices for bulletins by supplying sha1 and sha2 hashes in the Knowledge Base (KB) articles. This has been most visible in the KB with the addition of the “File hash information” section, but it is also noted in the Frequently Asked Questions (FAQ) section of each bulletin for convenience.

From PowerShell you can easily leverage the .Net  Cryptographic Services to define a get-sha256 function like Mike Wilbur has done here. And though it should go without saying, I will say it anyhow – you should not use script or code from untrusted sources.

function get-sha256 {param($file);[system.bitconverter]::tostring([System.Security.Cryptography.sha256]::create().computehash([]::openread((resolve-path $file)))) -replace “-“,””

Let’s verify the hashes for the MS12-071:

After downloading the msu files we can simply iterate through the directory listing getting the sha2 hash for each file.

If you prefer not to use the .Net Cryptographic Services you could also verify sha1 hashes with the File Checksum Integrity Verifier utility available in KB 841290.

Though most people will not find the need to go to these lengths as automatic updates stream line the process of providing a secure means of distributing updates, we continually work to raise the bar as part of our ongoing drive to evaluate defense-in-depth efforts and provide improvements.

Thank you,

Dustin Childs
Group Manager
Microsoft Trustworthy Computing