Executive Summary
| Summary | |
|---|---|
| Title | Microsoft Security Advisory 2960358 |
| Informations | |||
|---|---|---|---|
| Name | KB2960358 | First vendor Publication | 2014-05-13 |
| Vendor | Microsoft | Last vendor Modification | 2014-07-08 |
| Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : | |||
|---|---|---|---|
| Cvss Base Score | Not Defined | Attack Range | Not Defined |
| Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
| Cvss Expoit Score | Not Defined | Authentication | Not Defined |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
Microsoft Security Advisory 2960358Update for Disabling RC4 in .NET TLSPublished: May 13, 2014 | Updated: July 8, 2014 Version: 1.2 General InformationExecutive SummaryMicrosoft is announcing the availability of an update for Microsoft .NET Framework that disables RC4 in Transport Layer Security (TLS) through the modification of the system registry. Use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions. Recommendation. Microsoft recommends that customers download and test the update before deploying it in their environments as soon as possible. Please see the Suggested Actions section of this advisory for more information. Known Issues. Microsoft Knowledge Base Article 2978675 documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| References | Identification |
|---|---|
| Microsoft Knowledge Base Article | 2960358 |
Affected Software
This advisory discusses the following software.
| Operating System | Component |
| Windows 7 | |
| Windows 7 for 32-bit Systems Service Pack 1 | Microsoft .NET Framework 3.5.1 [1] |
| Windows 7 for 32-bit Systems Service Pack 1 | Microsoft .NET Framework 4 [1][2] |
| Windows 7 for 32-bit Systems Service Pack 1 | Microsoft .NET Framework 4.5 [1] |
| Windows 7 for 32-bit Systems Service Pack 1 | Microsoft .NET Framework 4.5.1 [1] |
| Windows 7 for 32-bit Systems Service Pack 1 | Microsoft .NET Framework 4.5.2 [1] |
| Windows 7 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 3.5.1 [1] |
| Windows 7 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 4 [1][2] |
| Windows 7 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 4.5 [1] |
| Windows 7 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 4.5.1 [1] |
| Windows 7 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 4.5.2 [1] |
| Windows Server 2008 R2 | |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 3.5.1 [1] |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 4 [1][2] |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 4.5 [1] |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 4.5.1 [1] |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Microsoft .NET Framework 4.5.2 [1] |
| Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 | Microsoft .NET Framework 3.5.1 [1] |
| Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 | Microsoft .NET Framework 4 [1][2] |
| Windows 8 and Windows 8.1 | |
| Windows 8 for 32-bit Systems | Microsoft .NET Framework 3.5 [1] |
| Windows 8 for 32-bit Systems | Microsoft .NET Framework 4.5 [1] |
| Windows 8 for 32-bit Systems | Microsoft .NET Framework 4.5.1 [1] |
| Windows 8 for 32-bit Systems | Microsoft .NET Framework 4.5.2 [1] |
| Windows 8 for 64-bit Systems | Microsoft .NET Framework 3.5 [1] |
| Windows 8 for 64-bit Systems | Microsoft .NET Framework 4.5 [1] |
| Windows 8 for 64-bit Systems | Microsoft .NET Framework 4.5.1 [1] |
| Windows 8 for 64-bit Systems | Microsoft .NET Framework 4.5.2 [1] |
| Windows 8.1 for 32-bit Systems | Microsoft .NET Framework 3.5 |
| Windows 8.1 for 32-bit Systems | Microsoft .NET Framework 4.5.1 |
| Windows 8.1 for 32-bit Systems | Microsoft .NET Framework 4.5.2 |
| Windows 8.1 for 64-bit Systems | Microsoft .NET Framework 3.5 |
| Windows 8.1 for 64-bit Systems | Microsoft .NET Framework 4.5.1 |
| Windows 8.1 for 64-bit Systems | Microsoft .NET Framework 4.5.2 |
| Windows Server 2012 and Windows Server 2012 R2 | |
| Windows Server 2012 | Microsoft .NET Framework 3.5 [1] |
| Windows Server 2012 | Microsoft .NET Framework 4.5 [1] |
| Windows Server 2012 | Microsoft .NET Framework 4.5.1 [1] |
| Windows Server 2012 | Microsoft .NET Framework 4.5.2 [1] |
| Windows Server 2012 R2 | Microsoft .NET Framework 3.5 |
| Windows Server 2012 R2 | Microsoft .NET Framework 4.5.1 |
| Windows Server 2012 R2 | Microsoft .NET Framework 4.5.2 |
| Windows RT and Windows RT 8.1 | |
| Windows RT | Microsoft .NET Framework 4.5 [1] |
| Windows RT | Microsoft .NET Framework 4.5.1 [1] |
| Windows RT | Microsoft .NET Framework 4.5.2 [1] |
| Windows RT 8.1 | Microsoft .NET Framework 4.5.1 |
| Windows RT 8.1 | Microsoft .NET Framework 4.5.2 |
| Server Core installation option | |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Microsoft .NET Framework 3.5.1 [1] |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Microsoft .NET Framework 4 [1][2] |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Microsoft .NET Framework 4.5 [1] |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Microsoft .NET Framework 4.5.1 [1] |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Microsoft .NET Framework 4.5.2 [1] |
| Windows Server 2012 (Server Core installation) | Microsoft .NET Framework 3.5 [1] |
| Windows Server 2012 (Server Core installation) | Microsoft .NET Framework 4.5 [1] |
| Windows Server 2012 (Server Core installation) | Microsoft .NET Framework 4.5.1 [1] |
| Windows Server 2012 (Server Core installation) | Microsoft .NET Framework 4.5.2 [1] |
| Windows Server 2012 R2 (Server Core installation) | Microsoft .NET Framework 3.5 |
| Windows Server 2012 R2 (Server Core installation) | Microsoft .NET Framework 4.5.1 |
| Windows Server 2012 R2 (Server Core installation) | Microsoft .NET Framework 4.5.2 |
[1] Prerequisite. This update requires pre-installation of the 2868725 update released in November, 2013, or any update that installs a later file version of schannel.dll than the one released with the 2868725 update.
[2] .NET Framework 4 and .NET Framework 4 Client Profile affected. The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. .NET Framework 4 Client Profile is a subset of .NET Framework 4. The vulnerability addressed in this update affects both .NET Framework 4 and .NET Framework 4 Client Profile. For more information, see the MSDN article, Installing the .NET Framework.
| Non-Affected Software |
|---|
| Microsoft .NET Framework 1.0 Service Pack 3 |
| Microsoft .NET Framework 1.1 Service Pack 1 |
| Microsoft .NET Framework 2.0 Service Pack 2 |
| Microsoft .NET Framework 3.0 Service Pack 2 |
| Microsoft .NET Framework 3.5 Service Pack 1 |
| Windows Server 2003 for 32-bit Systems Service Pack 2 |
| Windows Server 2003 for x64-based Systems Service Pack 2 |
| Windows Server 2003 for Itanium-based Systems Service Pack 2 |
| Windows Vista Service Pack 2 |
| Windows Vista x64 Edition Service Pack 2 |
| Windows Server 2008 for 32-bit Systems Service Pack 2 |
| Windows Server 2008 for x64-based Systems Service Pack 2 |
| Windows Server 2008 for Itanium-based Systems Service Pack 2 |
Advisory FAQ
Are there any prerequisites for installing the updates addressed in this advisory?
Yes. Pre-installation of the 2868725 update, released in November, 2013, is a prerequisite for installing the updates addressed in this advisory, with the exception of those updates applying to Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. For more information about the prerequisite update, see Microsoft Knowledge Base Article 2868725.
Are the updates available on Windows Update?
No. Due to new behavior that restricts the unsecured RC4 cipher, the updates addressed in this advisory are being provided via the Microsoft Download Center and Microsoft Update Catalog only. The updates are not being provided via Windows Update in order to give customers the ability to plan and test the new settings for disabling RC4 prior to implementation in their environments.
What is the scope of the advisory?
The purpose of this advisory is to notify customers that an update is available for Microsoft .NET Framework that disables RC4 in Transport Layer Security (TLS).
What might an attacker use the vulnerability to do?
Use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions.
What is a man-in-the-middle attack?
A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker's computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking they are communicating only with the intended user.
What does the update do?
The update supports the removal of RC4 as an available cipher on affected systems through registry settings. Microsoft recommends that customers test any new settings for disabling RC4 prior to implementation in their environments.
What is TLS?
Transport Layer Security (TLS) is a standard protocol that is used to provide secure web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the Secure Sockets Layer (SSL) protocol.
What is RC4?
RC4 is a stream cipher that is used in both encryption and decryption.
Suggested Actions
- Apply the update for affected releases of Microsoft .NET Framework
The update is available from the Microsoft Download Center. For information on how to manually apply the update, see Microsoft Knowledge Base Article 2960358.
Additional Suggested Actions
- Protect your PC
We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.
- Keep Microsoft Software Updated
Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.
Security Update Deployment
Windows 7 (all editions)
Reference Table
The following table contains the security update information for this software.
| Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
| Security update file name | For Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1: |
| | For Microsoft .NET Framework 4 when installed on Windows 7 for 32-bit Systems Service Pack 1: |
| | For Microsoft .NET Framework 4.5 when installed on Windows 7 for 32-bit Systems Service Pack 1: |
| | For Microsoft .NET Framework 4.5.1 when installed on Windows 7 for 32-bit Systems Service Pack 1: |
| | For Microsoft .NET Framework 4.5.2 when installed on Windows 7 for 32-bit Systems Service Pack 1: |
| | For Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1: |
| | For Microsoft .NET Framework 4 when installed on Windows 7 for x64-based Systems Service Pack 1: |
| | For Microsoft .NET Framework 4.5 when installed on Windows 7 for x64-based Systems Service Pack 1: |
| | For Microsoft .NET Framework 4.5.1 when installed on Windows 7 for x64-based Systems Service Pack 1: |
| | For Microsoft .NET Framework 4.5.2 when installed on Windows 7 for x64-based Systems Service Pack 1: |
| Installation switches | See Microsoft Knowledge Base Article 2844699 |
| Update log file | For Microsoft .NET Framework 3.5.1: |
| | For Microsoft .NET Framework 4: |
| | For Microsoft .NET Framework 4.5: |
| | For Microsoft .NET Framework 4.5.1: |
| | For Microsoft .NET Framework 4.5.2: |
| Restart requirement | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. |
| Removal information | Click Control Panel, click System and Security, and then under Windows Update, click View installed updates and select from the list of updates. |
| File information | See Microsoft Knowledge Base Article 2960358 |
| Registry key verification | For Microsoft .NET Framework 3.5.1: |
| | For Microsoft .NET Framework 4 when installed on all supported 32-bit editions of Windows 7: |
| | For Microsoft .NET Framework 4 when installed on all supported x64-based editions of Windows 7: |
| | For Microsoft .NET Framework 4.5: |
| | For Microsoft .NET Framework 4.5.1: |
| | For Microsoft .NET Framework 4.5.2: |
Windows Server 2008 R2 (all editions)
Reference Table
The following table contains the security update information for this software.
| Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
| Security update file name | For Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1: |
| | For Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1: |
| | For Microsoft .NET Framework 4.5 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1: |
| | For Microsoft .NET Framework 4.5.1 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1: |
| | For Microsoft .NET Framework 4.5.2 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1: |
| | For Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-based Systems Service Pack 1: |
| | For Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for Itanium-based Systems Service Pack 1: |
| Installation switches | See Microsoft Knowledge Base Article 2844699 |
| Update log file | For Microsoft .NET Framework 3.5.1: |
| | For Microsoft .NET Framework 4: |
| | For Microsoft .NET Framework 4.5: |
| | For Microsoft .NET Framework 4.5.1: |
| | For Microsoft .NET Framework 4.5.2: |
| Restart requirement | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. |
| Removal information | Click Control Panel, click System and Security, and then under Windows Update, click View installed updates and select from the list of updates. |
| File information | See Microsoft Knowledge Base Article 2960358 |
| Registry key verification | For Microsoft .NET Framework 3.5.1: |
| | For Microsoft .NET Framework 4: |
| | For Microsoft .NET Framework 4.5: |
| | For Microsoft .NET Framework 4.5.1: |
| | For Microsoft .NET Framework 4.5.2: |
Windows 8 (all editions) and Windows 8.1 (all editions)
Reference Table
The following table contains the security update information for this software.
| Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
| Security update file name | For Microsoft .NET Framework 3.5 on Windows 8 for 32-bit Systems: |
| | For Microsoft .NET Framework 4.5 on Windows 8 for 32-bit Systems: |
| | For Microsoft .NET Framework 4.5.1 on Windows 8 for 32-bit Systems: |
| | For Microsoft .NET Framework 4.5.2 on Windows 8 for 32-bit Systems: |
| | For Microsoft .NET Framework 3.5 on Windows 8 for 64-bit Systems: |
| | For Microsoft .NET Framework 4.5 on Windows 8 for 64-bit Systems: |
| | For Microsoft .NET Framework 4.5.1 on Windows 8 for 64-bit Systems: |
| | For Microsoft .NET Framework 4.5.2 on Windows 8 for 64-bit Systems: |
| | For Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit Systems: |
| | For Microsoft .NET Framework 4.5.1 on Windows 8.1 for 32-bit Systems: |
| | For Microsoft .NET Framework 4.5.2 on Windows 8.1 for 32-bit Systems: |
| | For Microsoft .NET Framework 3.5 on Windows 8.1 for 64-bit Systems: |
| | For Microsoft .NET Framework 4.5.1 on Windows 8.1 for 64-bit Systems: |
| | For Microsoft .NET Framework 4.5.2 on Windows 8.1 for 64-bit Systems: |
| Installation switches | See Microsoft Knowledge Base Article 2844699 |
| Restart requirement | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. |
| Removal information | Click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates. |
| File information | See Microsoft Knowledge Base Article 2960358 |
| Registry key verification | For Microsoft .NET Framework 3.5: |
| | For Microsoft .NET Framework 4.5: |
| | For Microsoft .NET Framework 4.5.1: Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update. |
| | For Microsoft .NET Framework 4.5.2: Note A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update. |
Windows Server 2012 (all editions) and Windows Server 2012 R2 (all editions)
Reference Table
The following table contains the security update information for this software.
| Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
| Security update file name | For Microsoft .NET Framework 3.5 on Windows Server 2012: |
| | For Microsoft .NET Framework 4.5 on Windows Server 2012: |
| | For Microsoft .NET Framework 4.5.1 on Windows Server 2012: |
| | For Microsoft .NET Framework 4.5.2 on Windows Server 2012: |
| | For Microsoft .NET Framework 3.5 on Windows Server 2012 R2: |
| | For Microsoft .NET Framework 4.5.1 on Windows Server 2012 R2: |
| | For Microsoft .NET Framework 4.5.2 on Windows Server 2012 R2: |
| Installation switches | See Microsoft Knowledge Base Article 2844699 |
| Restart requirement | This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. |
| Removal information | Click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates. |
| File information | See Microsoft Knowledge Base Article 2960358 |
| Registry key verification | Note A registry key does not exist to validate the presence of this update. |
Windows RT (all editions) and Windows RT 8.1 (all editions)
The following table contains the security update information for this software.
| Deployment | For Microsoft .NET Framework 4.5, 4.5.1, and 4.5.2 on Windows RT: |
| | For Microsoft .NET Framework 4.5.1 and 4.5.1 on Windows RT 8.1: |
| Restart Requirement | Yes, you must restart your system after you apply this security update. |
| Removal Information | Click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates. |
| File Information | See Microsoft Knowledge Base Article 2960358 |
Other Information
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
Feedback
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
Support
- Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (May 13, 2014): Advisory published.
- V1.1 (June 19, 2014): Added link to Microsoft Knowledge Base Article 2978675 under Known Issues in the Executive Summary.
- V1.2 (July 8, 2014): Advisory revised to announce a Microsoft Update Catalog detection change for the updates requiring installation of the 2868725 prerequisite update. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Original Source
| Url : http://www.microsoft.com/technet/security/advisory/2960358.mspx |
Alert History
| Date | Informations |
|---|---|
| 2014-08-19 11:19:26 |
|
