Microsoft Ends RC4 Support in Browsers with August Patch
With the Tuesday release of Microsoft's monthly security patch, RC4 support has been cut from Edge and Internet Explorer 11 browsers.
It might be thought that RC4, a stream cipher used in client-server communications that's long been considered to be cryptographically insecure, was already gone from those browsers. Microsoft declared its intention to kill it off last year. In March of this year, Microsoft indicated that RC4 would go away on April 12. However, it later delayed that action in response to "customer feedback."
This time Microsoft will pull the trigger on RC4. It's happening via patch KB3151631, which is part of Microsoft's security update MS16-095 in the August batch of bulletins, released today. The patch will disable RC "for Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10," Microsoft indicated in its announcement today.
Microsoft today released nine security bulletins for August, with five deemed "critical" for organizations to apply, and four deemed "important." There's also a security advisory (3179528) out today that warns organizations about a "blacklisted" securitykernel.exe program that could be a potential information disclosure risk.
Not many browsers currently use RC4. The Trustworthy Internet Movement's SSL Pulse page showed just 6.5 percent of modern browsers used RC4 this month. Microsoft described RC4 use as "small and shrinking" in its announcement.
Microsoft is following the lead of Google and Mozilla by getting rid of RC4 because the cipher can be broken in hours via man-in-the-middle session hijacking attacks. Typically attackers trick browsers into using the insecure RC4 cipher to carry out the attacks. The Internet Engineering Task Force has stated that RC4 should be prohibited from use with client and server Transport Layer Security (TLS) connections.
Microsoft recommends that organizations enable Transport Layer Security 1.2 in their services and stop using RC4. Ciphers supported by various Windows versions are described at this page.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.