Microsoft's .NET Framework security updates further effort to phase out RC4 encryption

The company advises customers to stop using the RC4 cipher in TLS connections because of known weaknesses in the algorithm

Microsoft released optional security updates Tuesday for various versions of the .NET Framework that prevent the RC4 encryption algorithm from being used in TLS (Transport Layer Security) connections.

The updates are only available through the Windows Update Catalog and the Microsoft Download Center, not Windows Update, and are part of Microsoft's efforts that began in November to phase out the use of RC4 in TLS. They are in addition to the company's scheduled security patches for Windows, Internet Explorer and Office.

The Rivest Cipher 4 (RC4) was invented in 1987 by cryptographer Ronald Rivest and remained a popular encryption algorithm over the years despite cryptographic weaknesses being discovered by researchers.

Until last year, the use of RC4 as a preferred cipher in TLS was considered safe and actually recommended for a while after cipher-block chaining mode ciphers like AES-CBC were found to be vulnerable to attacks.

However, in March 2013, a team of researchers presentedfeasible attacks against RC4 as used in TLS; subsequent revelations about the U.S. National Security Agency's efforts to defeat encryption sparked concerns that breaking RC4 might be within its capabilities.

In November Microsoft released an update for Windows 7, Windows 8, Windows RT, Windows Server 2008 R2 and Windows Server 2012 that allowed system administrators to disable RC4 support using registry settings. The new optional updates released Tuesday do the same thing, but for the .NET Framework.

"The use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions," Microsoft said in ">a security advisory Tuesday. "A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker's computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user."

While blocking RC4 is recommended, the company said that customers should plan and test the new settings prior to making this change in their environments.

TLS offers a choice of ciphers that server administrators can specify in their configurations, but versions 1.0 and 1.1 of the protocol support only CBC ciphers and RC4, all of which are now considered insecure.

The AES-GCM cipher is a safe alternative, but it is only available in TLS version 1.2 which has yet to see widespread deployment. A scan of the top 155,000 HTTPS websites performed this month by the SSL Pulse Project revealed that only around 35 percent of them supported TLS 1.2.

In November, a test by Microsoft found that 43 percent of HTTPS websites prioritized the RC4 cipher in their configurations, but only about 4 percent of them actually required it. This means that browsers and other applications that act as TLS clients can choose a different cipher when negotiating TLS connections with the vast majority of servers.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesonline safetyMicrosoftsecuritypatch managementencryptionExploits / vulnerabilitiespki

More about AES EnvironmentalMicrosoftNational Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts