Executive Summary
Summary | |
---|---|
Title | Update for Disabling RC4 |
Informations | |||
---|---|---|---|
Name | KB2868725 | First vendor Publication | 2013-11-12 |
Vendor | Microsoft | Last vendor Modification | 1970-01-01 |
Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT to address known weaknesses in RC4. The update supports the removal of RC4 as an available cipher on affected systems through registry settings. It also allows developers to remove RC4 in individual applications through the use of the SCH_USE_STRONG_CRYPTO flag in the SCHANNEL_CRED structure. These options are not enabled by default. Recommendation. Microsoft recommends that customers download and install the update immediately and then test the new settings in their environments. Please see the Suggested Actions section of this advisory for more information. For more information about this issue, see the following references: This advisory discusses the following software. Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1? What is the scope of the advisory? What is a man-in-the-middle attack? What does the 2868725 update do? Will the update impact the user experience for Internet Explorer or other in-box applications? How do I prepare for this release? What is Schannel? What is TLS? What is RC4? Apply the update for affected releases of Microsoft Windows The majority of customers have automatic updating enabled and will not need to take any action because the 2868725 update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871. For administrators and enterprise installations, or end users who want to install the 2868725 update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply the update, see Microsoft Knowledge Base Article 2868725. Thoroughly test new settings before implementing them in your environment After applying the update, Microsoft recommends that customers test any new settings for disabling RC4 prior to implementing them in their environments. Failing to test the new settings could result in impact to the user experience for Internet Explorer or other applications that make use of TLS. |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/2868725.mspx |
Alert History
Date | Informations |
---|---|
2014-02-17 11:38:44 |
|
2013-11-12 21:19:25 |
|