Back in 2017, Google discovered a flaw in the (by then already old and superseded) SHA-1 algorithm. SHA-1 is a hashing function, which takes an input and converts it to a unique value. Being a hash function, this transformation can only go one way (you can convert a value to a hash, but you can’t convert a hash back to the original value). Hashing functions are vital in software, being used for password storage, certificate signing and file verification.
The flaw in SHA-1 allowed 2 different files to generate the exact same hash. This is a major vulnerability. For example, if the OS used a SHA-1 hash to verify an update was valid, an attacker could produce a malicious update that would generate the same hash and pass verification.
There’s a much better and more detailed explanation here
Announcing the first SHA1 collision
Theoretical attacks have been known in SHA1 for over a decade, and NIST recommended against using SHA1 back in 2012
Hash Functions | CSRC. So tbh, it’s a long overdue fix by MS.
From an end user point of view, there’s no noticeable difference, but it’s an important security fix.
