Microsoft didn’t beat around the bush when it warned customers to stay away from the deprecated RC4 algorithm last fall. Now it’s giving those who use its .NET software framework an option to disable the cipher in Transport Layer Security (TLS) as well.
In a security advisory issued on its Security TechCenter yesterday, echoing its stance last year, Microsoft pointed out that using RC4 in TLS can give an attacker the ability to perform man-in-the-middle attacks and siphon away plaintext from encrypted sessions.
In November, Microsoft gave those using Windows 7, Windows 8, Windows RT, Server 2008 R2, and Server 2012 the ability to disable the troublesome cipher. Now, six months later, the company is letting anyone running the latest version of .NET to do the same, through modifying the system registry. While .NET users looking to download the updates can find them at Microsoft’s Download Center and Microsoft’s Update Catalog, it’s keeping the update off of Windows Update “in order to give customers the ability to plan and test the new settings for disabling RC4 prior to implementation in their environments.”
RC4’s faults have been well-documented. Now a quarter century old, the cipher is one of the older algorithms in use across the Internet today. With its usage has come an influx of practical attacks, many that can recover plaintext. One such attack, dug up last year by researcher and University of Illinois at Chicago professor Daniel J. Bernstein enabled an attacker to fully compromise a victim’s session that’s protected by TLS/RC4.
The advisory was one of three Microsoft issued yesterday.
The second informed users that the company has tweaked a handful of its operating systems to better protect credentials and domain authentication controls. Updates to Windows 8, Windows RT, Server 2012, Windows 7, and Server 2008 R2 will now enforce stricter authentication policies. Microsoft is doing this by adding an extra layer of security to Local Security Authority (LSA), the interface that logs users onto local systems. The update also adds a new admin mode for its Credential Security Support Provider (CredSSP), a protocol that lets programs use client-side Security Support Provider APIs to assign user credentials from client computers to target servers. The update to CredSSP should prevent credentials from being harvested if the client ever winds up connecting to a compromised server.
Microsoft points out that while the updates should be beneficial for anyone running the aforementioned systems, they’ll be most useful in enterprise environments where Windows domains are deployed.
In the last advisory Microsoft gave users a heads up that it went ahead and revoked the digital signatures for four third-party Unified Extensible Firmware Interface (UEFI) modules yesterday. The advisory is a bit vague, but claims the unnamed modules, which could be loaded during a Secure Boot, were not in compliance with the company’s certification program. As the modules were private and third-party, not a whole lot more information was given but Microsoft claims the move was as part of its “ongoing efforts to protect customers.”
All advisories of course come on the heels of yesterday’s Patch Tuesday updates. The update addressed 13 issues, including critical vulnerabilities in IE and its Sharepoint Server software.