Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Microsoft Disables RC4 in Edge and Internet Explorer 11

Starting this week, the RC4 cipher is disabled in Edge (Windows 10) and Internet Explorer 11 (Windows 7 and newer), bringing Microsoft’s browsers in line with Chrome and Firefox.

Starting this week, the RC4 cipher is disabled in Edge (Windows 10) and Internet Explorer 11 (Windows 7 and newer), bringing Microsoft’s browsers in line with Chrome and Firefox.

Around for almost 30 years, RC4 has been widely supported by online services and web applications, but it has been deemed vulnerable multiple times. Microsoft revealed plans to sunset RC4 in September last year, only a few months after researchers found a new attack method and demonstrated that RC4 attacks are increasingly practical and feasible.

On Tuesday, Microsoft released its August 2016 set of security patches, among which it slipped KB3151631, an update that disables RC4 in said browsers. The most recent versions of Chrome and Firefox also deprecated the cipher, and Edge and IE11 are now aligned with them.

“Modern attacks have demonstrated that RC4 can be broken within hours or days. The typical attacks on RC4 exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. In February 2015, these new attacks prompted the Internet Engineering Task Force to prohibit the use of RC4 with TLS,” Brent Mills, Senior Program Manager, Windows Experience, explains in a blog post.

Before this week, Edge and IE11 allowed RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. While a fallback is usually the result of an innocent error, it cannot be distinguished from a man-in-the-middle attack, and this is why popular web browsers have disabled it.

The change, however, is expected to have little impact on the experience that most users receive when browsing the Internet. There is only a very small number of insecure web services that support only RC4, and it is continuously shrinking.

System admins with web services that rely on RC4, on the other hand, should take action. According to Mills, they should enable TLS 1.2 in their services and remove support for RC4.

To have RC4 disabled in Internet Explorer 11 and Microsoft Edge in Windows 10, users should install either KB3176492 Cumulative update for Windows 10: August 9, 2016, or KB3176493 Cumulative update for Windows 10 Version 1511: August 9, 2016, Microsoft explains.

Released in January this year, Firefox 44 dropped support for RC4, in addition to providing users with various other security improvements. Starting in June, Google removed support for the cipher from its SMTP servers and from Gmail’s web servers.

In a SecurityWeek column last year, F5 Networks evangelist David Holmes explained that one of the main reasons behind RC4’s success was its simplicity. “To misty-eyed old-timers like myself and many others, the simplicity of RC4 was its greatest appeal. And perhaps the simplicity of the newer stream ciphers such as ChaCha will be what drives their adoption moving forward,” he said.

Written By

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).