New Security Update Disables RC4 in Transport Layer Security
Microsoft has released an update designed to disable RC4 in TLS to stop man-in-the-middle attacks.
June 20, 2014
Reported first in May 2014, an update is now available for practically all versions of supported Windows versions that are running the Microsoft .NET Framework 3.5 through 4.5.x. The update disables RC4 (stream cipher for encryption and decryption) communications in the Transport Layer Security (TLS – the latest version of Secure Sockets Layer protocol) due to a vulnerability that could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions.
Released on June 19, Microsoft is making the security update available through the Microsoft Download Center and Microsoft Update Catalog only. The update will not be provided through Windows Update since disabling could cause disruptions of applications and services developed to utilize RC4. Companies will need to be able to test prior to rolling out the update to ensure nothing is broken after installation, so it is only available as a manual download.
Except for Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1, a prerequisite installation of KB2868725 (released in November 2013) is required for all other affected Windows versions.
Full information about this update is located in Microsoft Security Advisory 2960358.
About the Author
You May Also Like