Number:IRCNE2014052192
Date: 2014-05-17
According to “techworld”, Microsoft released optional security updates Tuesday for various versions of the .NET Framework that prevent the RC4 encryption algorithm from being used in TLS (Transport Layer Security) connections.
The updates are only available through the Windows Update Catalog and the Microsoft Download Center, not Windows Update.
The Rivest Cipher 4 (RC4) was invented in 1987 by cryptographer Ronald Rivest and remained a popular encryption algorithm over the years despite cryptographic weaknesses being discovered by researchers.
Until last year, the use of RC4 as a preferred cipher in TLS was considered safe and actually recommended for a while after cipher-block chaining mode ciphers like AES-CBC were found to be vulnerable to attacks.
However, in March 2013, a team of researchers presented feasible attacks against RC4 as used in TLS.
In November Microsoft released an update for Windows 7, Windows 8, Windows RT, Windows Server 2008 R2 and Windows Server 2012 that allowed system administrators to disable RC4 support using registry settings. The new optional updates released Tuesday do the same thing, but for the .NET Framework.
"The use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions," Microsoft said in " a security advisory Tuesday.
While blocking RC4 is recommended, the company said that customers should plan and test the new settings prior to making this change in their environments.
In November, a test by Microsoft found that 43 percent of HTTPS websites prioritized the RC4 cipher in their configurations, but only about 4 percent of them actually required it. This means that browsers and other applications that act as TLS clients can choose a different cipher when negotiating TLS connections with the vast majority of servers.
- 7