Connect with us

Hi, what are you looking for?


Network Security

Microsoft Disables RC4 in Edge and Internet Explorer 11

Starting this week, the RC4 cipher is disabled in Edge (Windows 10) and Internet Explorer 11 (Windows 7 and newer), bringing Microsoft’s browsers in line with Chrome and Firefox.

Starting this week, the RC4 cipher is disabled in Edge (Windows 10) and Internet Explorer 11 (Windows 7 and newer), bringing Microsoft’s browsers in line with Chrome and Firefox.

Around for almost 30 years, RC4 has been widely supported by online services and web applications, but it has been deemed vulnerable multiple times. Microsoft revealed plans to sunset RC4 in September last year, only a few months after researchers found a new attack method and demonstrated that RC4 attacks are increasingly practical and feasible.

On Tuesday, Microsoft released its August 2016 set of security patches, among which it slipped KB3151631, an update that disables RC4 in said browsers. The most recent versions of Chrome and Firefox also deprecated the cipher, and Edge and IE11 are now aligned with them.

“Modern attacks have demonstrated that RC4 can be broken within hours or days. The typical attacks on RC4 exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. In February 2015, these new attacks prompted the Internet Engineering Task Force to prohibit the use of RC4 with TLS,” Brent Mills, Senior Program Manager, Windows Experience, explains in a blog post.

Before this week, Edge and IE11 allowed RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. While a fallback is usually the result of an innocent error, it cannot be distinguished from a man-in-the-middle attack, and this is why popular web browsers have disabled it.

The change, however, is expected to have little impact on the experience that most users receive when browsing the Internet. There is only a very small number of insecure web services that support only RC4, and it is continuously shrinking.

System admins with web services that rely on RC4, on the other hand, should take action. According to Mills, they should enable TLS 1.2 in their services and remove support for RC4.

Advertisement. Scroll to continue reading.

To have RC4 disabled in Internet Explorer 11 and Microsoft Edge in Windows 10, users should install either KB3176492 Cumulative update for Windows 10: August 9, 2016, or KB3176493 Cumulative update for Windows 10 Version 1511: August 9, 2016, Microsoft explains.

Released in January this year, Firefox 44 dropped support for RC4, in addition to providing users with various other security improvements. Starting in June, Google removed support for the cipher from its SMTP servers and from Gmail’s web servers.

In a SecurityWeek column last year, F5 Networks evangelist David Holmes explained that one of the main reasons behind RC4’s success was its simplicity. “To misty-eyed old-timers like myself and many others, the simplicity of RC4 was its greatest appeal. And perhaps the simplicity of the newer stream ciphers such as ChaCha will be what drives their adoption moving forward,” he said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...