Microsoft's .NET Framework security updates further effort to phase out RC4 encryption

The company advises customers to stop using the RC4 cipher in TLS connections because of known weaknesses in the algorithm

By Lucian Constantin, IDG News Service |  Security

Microsoft released optional security updates Tuesday for various versions of the .NET Framework that prevent the RC4 encryption algorithm from being used in TLS (Transport Layer Security) connections.

The updates are only available through the Windows Update Catalog and the Microsoft Download Center, not Windows Update, and are part of Microsoft's efforts that began in November to phase out the use of RC4 in TLS. They are in addition to the company's scheduled security patches for Windows, Internet Explorer and Office.

The Rivest Cipher 4 (RC4) was invented in 1987 by cryptographer Ronald Rivest and remained a popular encryption algorithm over the years despite cryptographic weaknesses being discovered by researchers.

Until last year, the use of RC4 as a preferred cipher in TLS was considered safe and actually recommended for a while after cipher-block chaining mode ciphers like AES-CBC were found to be vulnerable to attacks.

However, in March 2013, a team of researchers presentedfeasible attacks against RC4 as used in TLS; subsequent revelations about the U.S. National Security Agency's efforts to defeat encryption sparked concerns that breaking RC4 might be within its capabilities.

In November Microsoft released an update for Windows 7, Windows 8, Windows RT, Windows Server 2008 R2 and Windows Server 2012 that allowed system administrators to disable RC4 support using registry settings. The new optional updates released Tuesday do the same thing, but for the .NET Framework.

"The use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions," Microsoft said in ">a security advisory Tuesday. "A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker's computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user."

While blocking RC4 is recommended, the company said that customers should plan and test the new settings prior to making this change in their environments.

TLS offers a choice of ciphers that server administrators can specify in their configurations, but versions 1.0 and 1.1 of the protocol support only CBC ciphers and RC4, all of which are now considered insecure.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question