Microsoft Ending RC4 Support in Edge and IE Next Month

Microsoft will pull the plug on support for the RC4 cipher used with its Edge and Internet Explorer 11 browsers, starting next month.

On April 12, RC4 will be disabled in Edge and IE browsers. Security updates, delivered as part of Microsoft's April "patch Tuesday" release, will cause this security cipher to be "disabled by default," according to Microsoft's announcement this week.

"There is consensus across the industry that RC4 is no longer cryptographically secure," Microsoft's announcement explained. "With this change, Microsoft Edge and IE11 are aligned with the most recent versions of Google Chrome and Mozilla Firefox."

Microsoft targeted RC4 in September, following the lead of other browser makers, such as Google and Mozilla. However, back then, Microsoft had just indicated that it would end RC4 support in its browsers in "early 2016."

Currently, RC4 is used by just 8.5 percent of modern browsers, per the Trustworthy Internet Movement, an organization founded by software security firm Qualys. Here are the March RC4 findings from its SSL Pulse page:

[Click on image for larger view.] RC4 use, March 2016. Source: SSL Pulse.

Microsoft's general advice for organizations is that they should "enable TLS 1.2 in their services and remove support for RC4."

RC4 is a stream cipher that's been a long-time Internet staple for encrypting both upstream and downstream client-server communications. It's part of the Transport Layer Security (TLS) protocol, which started out as the Secure Socket Layers (SSL) protocol.

Researchers have long known that RC4 is flawed. It has a so-called "invariance weakness" that can partially expose plaintext bytes, which can be used in man-in-the-middle attacks for session hijacking by recovering session cookies or by breaking passwords. Typically, it takes brute-force attempts to carry out such attacks, according to an explanation by Imperva (PDF).

The vulnerability of browsers to RC4 flaws has varied, depending on browser version. A chart published by Wikipedia shows browser RC4 vulnerabilities in a color-coded scheme. Microsoft's more recent browsers, such as IE 11, are listed in the chart as having low vulnerability. However, IE 11 can be an attack vector if it gets tricked into using older security protocols. That's one reason why RC4 has to go.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus