Microsoft Ending RC4 Support in Edge and IE Next Month -- Redmondmag.com

Microsoft Ending RC4 Support in Edge and IE Next Month

By Kurt Mackie
03/17/2016

Microsoft will pull the plug on support for the RC4 cipher used with its Edge and Internet Explorer 11 browsers, starting next month.

On April 12, RC4 will be disabled in Edge and IE browsers. Security updates, delivered as part of Microsoft's April "patch Tuesday" release, will cause this security cipher to be "disabled by default," according to Microsoft's announcement this week.

"There is consensus across the industry that RC4 is no longer cryptographically secure," Microsoft's announcement explained. "With this change, Microsoft Edge and IE11 are aligned with the most recent versions of Google Chrome and Mozilla Firefox."

Microsoft targeted RC4 in September, following the lead of other browser makers, such as Google and Mozilla. However, back then, Microsoft had just indicated that it would end RC4 support in its browsers in "early 2016."

Currently, RC4 is used by just 8.5 percent of modern browsers, per the Trustworthy Internet Movement, an organization founded by software security firm Qualys. Here are the March RC4 findings from its SSL Pulse page:

**[Click on image for larger view.]** RC4 use, March 2016. Source: SSL Pulse.

Microsoft's general advice for organizations is that they should "enable TLS 1.2 in their services and remove support for RC4."

RC4 is a stream cipher that's been a long-time Internet staple for encrypting both upstream and downstream client-server communications. It's part of the Transport Layer Security (TLS) protocol, which started out as the Secure Socket Layers (SSL) protocol.

Researchers have long known that RC4 is flawed. It has a so-called "invariance weakness" that can partially expose plaintext bytes, which can be used in man-in-the-middle attacks for session hijacking by recovering session cookies or by breaking passwords. Typically, it takes brute-force attempts to carry out such attacks, according to an explanation by Imperva (PDF).

The vulnerability of browsers to RC4 flaws has varied, depending on browser version. A chart published by Wikipedia shows browser RC4 vulnerabilities in a color-coded scheme. Microsoft's more recent browsers, such as IE 11, are listed in the chart as having low vulnerability. However, IE 11 can be an attack vector if it gets tricked into using older security protocols. That's one reason why RC4 has to go.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.