Executive Summary

Summary
Title Update for Disabling RC4
Informations
Name KB2868725 First vendor Publication 2013-11-12
Vendor Microsoft Last vendor Modification 1970-01-01
Severity (Vendor) N/A Revision 1.0

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

General Information

Executive Summary

Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT to address known weaknesses in RC4. The update supports the removal of RC4 as an available cipher on affected systems through registry settings. It also allows developers to remove RC4 in individual applications through the use of the SCH_USE_STRONG_CRYPTO flag in the SCHANNEL_CRED structure. These options are not enabled by default.

Recommendation. Microsoft recommends that customers download and install the update immediately and then test the new settings in their environments. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Issue References

For more information about this issue, see the following references:

ReferencesIdentification
Microsoft Knowledge Base Article2868725

Affected Software

This advisory discusses the following software.

Operating System
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows Server 2012
Windows RT
Server Core installation option
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 (Server Core installation)

Advisory FAQ

Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?
No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

What is the scope of the advisory?
The purpose of this advisory is to notify customers that an update is available for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT that provides additional options for restricting the use of RC4. Use of RC4 in TLS and SSL could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions.

What is a man-in-the-middle attack?
A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker's computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user.

What does the 2868725 update do?
The update supports the removal of RC4 as an available cipher on affected systems through registry settings. It also allows developers to remove RC4 in individual applications through the use of the SCH_USE_STRONG_CRYPTO flag in the SCHANNEL_CRED structure. These options are not enabled by default. Microsoft recommends that customers test any new settings for disabling RC4 prior to implementing them in their environments.

Will the update impact the user experience for Internet Explorer or other in-box applications?
No. The changes implemented with the update are transparent to the user and will not impact the user experience for Internet Explorer or other in-box applications. However, it is possible that subsequent changes to settings for disabling RC4 could impact the user experience for Internet Explorer or other applications that make use of TLS. For this reason, it is highly recommended that customers thoroughly test any new settings relating to the disabling of RC4.

How do I prepare for this release?
Please see the Suggested Actions section of this advisory for a list of actions to perform in preparation for deploying this update.

What is Schannel?
Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications. For more information, see Secure Channel.

What is TLS?
Transport Layer Security (TLS) is a standard protocol that is used to provide secure web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the Secure Sockets Layer (SSL) protocol.

What is RC4?
RC4 is a stream cipher that is used in both encryption and decryption.

Suggested Actions

Apply the update for affected releases of Microsoft Windows

The majority of customers have automatic updating enabled and will not need to take any action because the 2868725 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install the 2868725 update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2868725.

Thoroughly test new settings before implementing them in your environment

After applying the update, Microsoft recommends that customers test any new settings for disabling RC4 prior to implementing them in their environments. Failing to test the new settings could result in impact to the user experience for Internet Explorer or other applications that make use of TLS.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/2868725.mspx

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 11:38:44
  • Multiple Updates
2013-11-12 21:19:25
  • First insertion