Microsoft Disables RC4 In Internet Explorer 11 and Edge (winbeta.org)

← Back to Stories (view on slashdot.org)

Microsoft Disables RC4 In Internet Explorer 11 and Edge (winbeta.org)

Posted by BeauHD on Tuesday August 9, 2016 @11:30AM from the decades-later dept.

An anonymous reader quotes a report from WinBeta: Microsoft released KB3151631 as part of today's Patch Tuesday set of updates that will disable RC4 in both Internet Explorer 11 on Windows 7 and later and in the Edge browser on Windows 10. As the company describes things: "RC4 is a stream cipher that was first described in 1987, and has been widely supported across web browsers and online services. Modern attacks have demonstrated that RC4 can be broken within hours or days. The typical attacks on RC4 exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. In February 2015, these new attacks prompted the Internet Engineering Task Force to prohibit the use of RC4 with TLS. Previously, Microsoft Edge and Internet Explorer 11 allowed RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, RC4 is now entirely disabled by default for Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10."

40 comments

Min score:

Reason:

Sort:

Good! by Anonymous Coward · 2016-08-09 11:34 · Score: 0

Or?
Disable Edge and IE by Anonymous Coward · 2016-08-09 11:36 · Score: 2, Insightful

If you want security, only use open source browsers on an open source OS like Linux. Disable Edge and IE. And disable Windows. Only an open source browser on Firefox running on an open source OS like Linux can truly be secure. All the millions of people looking over the source code ensures bugs are discovered and fixeded quickly. I mean, it's great that Microsoft removes insecure ciphers, but open source is much faster to disable insecure ciphers like RC4.
1. Re:Disable Edge and IE by Anonymous Coward · 2016-08-09 11:40 · Score: 1, Interesting
  
  perhaps you might want to go and look at the security vulnerabilities reports for the past few years. IE and Edge suck, but chrome, firefox etc suck even worse.
2. Re:Disable Edge and IE by BradMajors · 2016-08-09 11:41 · Score: 4, Informative
  
  All the millions of people looking over the source code ensures bugs are discovered and fixeded quickly.
  Nope. There are many open source projects that have known security bugs which remain unfixed after as long as ten years.
3. Re:Disable Edge and IE by Narcocide · 2016-08-09 11:58 · Score: 1, Insightful
  
  Yea, but nobody who knows what they're talking about takes noob complaints about BASH vulnerabilities seriously. Sometimes you simply ARE using the wrong tool for the job. I know you Windows users hate being told that though.
4. Re:Disable Edge and IE by WaffleMonster · 2016-08-09 12:45 · Score: 2, Informative
  
  Only an open source browser on Firefox running on an open source OS like Linux can truly be secure. All the millions of people looking over the source code ensures bugs are discovered and fixeded quickly.
  You mean this Firefox or a different one?
  https://it.slashdot.org/story/...
5. Re:Disable Edge and IE by Rick+Zeman · 2016-08-09 14:10 · Score: 2
  
  All the millions of people looking over the source code ensures bugs are discovered and fixeded quickly.
  Nope. There are many open source projects that have known security bugs which remain unfixed after as long as ten years.
  OpenSSL being case in point.
6. Re:Disable Edge and IE by Anonymous Coward · 2016-08-09 16:54 · Score: 0
  
  Only an open source browser on Firefox running on an open source OS like Linux can truly be secure. All the millions of people looking over the source code ensures bugs are discovered and fixeded quickly.
  You mean this Firefox or a different one?
  https://it.slashdot.org/story/...
  hey, HEY! Hands off the kiddies. They still have hopes and dreams and haven't been weighted down with angst and jaded out of their minds like the rest of us.
  They'll grow up soon enough like all other kids, give them some time to dream and be happy before that happens. They'll reach the real world before you (and in particular THEY) know what hit them; in the meantime let them do what they want and make sure there aren't any excess body parts around from when they fall and break something.
  Society may treat all snowflakes as special; *I* say they're only special if they have too few (or too many) body parts attached. (example: Zaphod Beeblebrox
7. Re:Disable Edge and IE by Anonymous Coward · 2016-08-09 22:10 · Score: 0
  
  More security vulnerability reports doesn't mean there are more security vulnerabilities. It only means there are more reports. This may be because it's easier for security researchers to discover a vulnerability, not because there are more of them.
8. Re:Disable Edge and IE by Anonymous Coward · 2016-08-09 22:25 · Score: 0
  
  incorrect. most vulnerabilities for both open source and closed source when it comes to browsers are found the same way, not through source code analysis but through fuzzing, testing fringe cases, investigating crashes etc, source code analysis really only helps with low hanging fruit which is long gone in all browsers (including the closed source ones).
9. Re:Disable Edge and IE by Anonymous Coward · 2016-08-10 02:27 · Score: 0
  
  Hi! I modded you Troll, because I'm tired of that headline being thrown around.
  As I've explained to a couple of people already (to deaf ears, obviously), they disqualified Firefox because they had not spent time implementing hardening techniques for their browser while the other browsers had recently done so.
  Hardening techniques are only a last-line defence. They likely do not reduce the total amount of security flaws, only make them somewhat harder to exploit.
10. Re:Disable Edge and IE by EndlessNameless · 2016-08-10 06:19 · Score: 1
  
  What about Heartbleed? That was pretty bad.
  I mean, it's not like OpenSSL had a serious vulnerability in its production codebase for years that affected the numerous applications dependent on it.
  It's not like major enterprise vendors such as Cisco and VMware included that code as part of their products.
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
11. Re: Disable Edge and IE by Anonymous Coward · 2016-08-10 06:21 · Score: 0
  
  HE FORGOT TO POST ANONYMOUSLY
  WE FINALLY KNOW WHO THE APP GUY IS
  The filter is stupid. Caps are not yelling. Everyone knows italics are yelling.
12. Re: Disable Edge and IE by hackwrench · 2016-08-10 09:41 · Score: 1
  
  No, I just like the originator's sense of humor. I on the other hand don't post anonymously except for once on a phone where the anonymous checkbox was easy to hit and I posted a follow-up later. I'm flatteted you think I did the original justice though. So... Maybe sexconker isn't the originator of the Moo cow bit?
13. Re: Disable Edge and IE by Anonymous Coward · 2016-08-11 01:26 · Score: 0
  
  Lie to me, baby. So sexy.
14. Re:Disable Edge and IE by Narcocide · 2016-08-11 10:27 · Score: 1
  
  Heartbleed was vulnerable upstream for a very long time. It didn't survive very long after being pushed to Debian stable before it was noticed though. You are probably vastly mistaken about the percentage of critical systems running bleeding-edge builds of stuff in the real world.
The usual suspect is vulnerable by Anonymous Coward · 2016-08-09 11:38 · Score: 0

How typical that IE and Edge are vulnerable on Windows. Whenever there's a vulnerability reported, it's usually something written by Microsoft and running on Windows.
Hours or days vs. nanoseconds to spy by Impy+the+Impiuos+Imp · 2016-08-09 11:39 · Score: 2, Insightful

It was pointless at this point. Security agencies don't need to waste "hours or days" decrypting weak schemes when they can just use provided backdoors anyway.

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
1. Re:Hours or days vs. nanoseconds to spy by cryptizard · 2016-08-09 11:46 · Score: 4, Insightful
  
  Pretty sure most people are worried about attackers other than the government.
2. Re:Hours or days vs. nanoseconds to spy by SeaFox · 2016-08-09 16:50 · Score: 1
  
  Pretty sure most people are worried about attackers other than the government.
  Well thank goodness those backdoors only work for the government, and only when the government is doing the "right" thing, and nobody who knows about the backdoors has ever left the government and joined a criminal organization, and the criminals haven't managed to into government jobs ever.
Disabled by Anonymous Coward · 2016-08-09 11:47 · Score: 1

Dump-a-Drumpf 2016/Forever
Microsoft Hypocrisy by Anonymous Coward · 2016-08-09 11:50 · Score: 4, Informative

Disables old insecure cipher, while riddling Windows 10 full of spyware.
1. Re:Microsoft Hypocrisy by thegarbz · 2016-08-09 22:37 · Score: 1
  
  There's nothing hypocritical about it. They are two different things with two different implications. One is about giving the parent entity customer data, the other is preventing other unauthorised people from accessing encrypted data.
ancient management consoles by Anonymous Coward · 2016-08-09 11:53 · Score: 2, Insightful

Someone may want to notify HP, Dell and Sun Micro...whoops! Oracle.
There is a lot of old console interface hardware with baked in low-grade self-signed SSL certs that may never go away.
Between that and servers using old Java-base consoles some technologies never seem to die.
It's not like the vendors couldn't patch them. There is just no money in it. Or to be precise current TLS support in your hardware console is another feature to "encourage" an upgrade.
1. Re:ancient management consoles by darkain · 2016-08-09 13:54 · Score: 1
  
  And just for this, is EXACTLY why I still have a Windows XP virtual machine with IE6 and Java 6 on it just to handle administration tasks on legacy equipment. But that VM is locked down to just those tasks on that private network, and never powered on otherwise.
  The hardware in question? Ancient laser printers from the 1990's, more specifically the HP 2100 LaserJet series. They may be a little slow and clunky, but they NEVER fail! And they still have driver support on Windows 10. Can't even tell ya how many other printers I've serviced and watch die over the years in the same businesses that also have these things deployed, and I've yet to see a single 2100 die.
More eyeballs is a myth by Anonymous Coward · 2016-08-09 12:27 · Score: 3, Informative

Yes, Eric Raymond's Cathedral Bazaar assumed just because source is available people will read it. Just because people can do something doesn't mean they will. They need incentive. Around major open source projects there are enough numbers and focus to allow this, but most open source software has a very small number of people supporting it, if any. Why would I waste my time reading someone else's source code looking for bugs which might be there, or might not be? Even security holes, which I'm not likely to find anyway? Bug bounties are a poor incentive too: you might work your guts out on a piece of code, find nothing, and not be able to pay the rent. You're right not to trust Microsoft at all, but open source has a serious problem with the economics of lack of incentive.
1. Re:More eyeballs is a myth by Narcocide · 2016-08-09 13:00 · Score: 1
  
  Yea but just imagine what they could accomplish if they were funded even half as well as your average Microsoft product.
2. Re:More eyeballs is a myth by Anonymous Coward · 2016-08-09 13:22 · Score: 0
  
  >but most open source software has a very small number of people supporting it
  He's talking about Firefox and Chrome/Chromium. The number of people supporting those two projects is not small.
3. Re:More eyeballs is a myth by Anonymous Coward · 2016-08-09 17:47 · Score: 0
  
  The Mozilla foundation once received around 300 millions of dollars a year from Google, where is my secure browser? Ohhhh that's right, they were banned from hacking contests because Firefox is too easy to hack.
4. Re:More eyeballs is a myth by Anonymous Coward · 2016-08-09 21:39 · Score: 0
  
  Even so - SOME people DO read it.
  It is why patches can come out as fast as a vulnerability is found.
5. Re:More eyeballs is a myth by Narcocide · 2016-08-11 10:29 · Score: 1
  
  Back when that was true, that they were receiving that much money from Google, it was well before they had slumped in security, and you know it very well. Besides which, most the "Firefox vulnerabilities" were actually vulnerabilities in 3rd party plugins or extensions that only supported Firefox.
Both users will never notice by kimvette · 2016-08-09 13:44 · Score: 2

Both remaining MSIE users will never notice the difference.

--
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
1. Re:Both users will never notice by thegarbz · 2016-08-09 22:38 · Score: 1
  
  +5 funny
  -1 sadly not reflecting reality
  There are many people still forced to use IE.
2. Re:Both users will never notice by Anonymous Coward · 2016-08-10 05:27 · Score: 0
  
  I also beg to differ... a large section of the IE users will likely notice as they were using IE since the better browsers no longer support their insecure websites.
  Question is, would you really throw out a network printer because its https implementation is now considered insecure? This is where I see the most security exceptions and it just doesn't make sense to spend $200 on a printer because your management password might get stolen.
I'm confused by ArhcAngel · 2016-08-09 14:47 · Score: 0

Is this submission saying that Release Candidate 4 of IE 11 AND Edge were pulled? I didn't even know there was a Release Candidate 3!

--
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Not just Microsoft, also Apple by SuperKendall · 2016-08-09 16:02 · Score: 2

Apple is dropping RC4 support in iOS10.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Not just Microsoft, also Apple by Anonymous Coward · 2016-08-10 01:56 · Score: 0
  
  Yes, but as this is Slashdot, each developer has to get a different story so the usual reactionaries can spew their uneducated dogmas.
  Microsoft: well, just read this, half the posts are from FOSSolytes trying to pretend that open source projects never have serious bugs
  Apple: will be a mix of "first company to ever care about security", "Android had this 2 years ago", and "why pay so much when you can roll your own with a Raspberry PI, Linux Mint, and some leftover electronics from the miscellaneous clutter drawer?"
  Google: long diatribes about how Chrome is the One True Web Browser and no one needs anything else, ever. All comments questioning that decree will be modded to -1 Troll
  Mozilla: just kidding, there won't be a story about Firefox dropping RC4. There might be a story about how the project staff discussed the matter, and then fired the white cisgendered male scum who suggested removing an underappreciated communication standard, leaving it completely abandoned and alone.
2. Re:Not just Microsoft, also Apple by Anonymous Coward · 2016-08-15 11:38 · Score: 0
  
  Much as I enjoyed your comment (and I did, I really, really did!), I think you went a little AWOL with your Apple section. Might I suggest instead:
  'Apple: will be a mix of "first company to ever care about security", "Do you feel the build quality (strokes phone suggestively)? No malware author would dare soil such a jewel!", and "Just one more thing. Our emoji guns do not promote gun violence. We are the first technology company in history to make a statement on cartoon guns (crowd goes wild)!"'