Microsoft Security Advisory (2868725)
Update for Disabling RC4
Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT to address known weaknesses in RC4. The update supports the removal of RC4 as an available cipher on affected systems through registry settings. It also allows developers to remove RC4 in individual applications through the use of the SCH_USE_STRONG_CRYPTO flag in the SCHANNEL_CRED structure. These options are not enabled by default.
Recommendation. Microsoft recommends that customers download and install the update immediately and then test the new settings in their environments. Please see the Suggested Actions section of this advisory for more information.
For more information about this issue, see the following references:
|Microsoft Knowledge Base Article||2868725|
This advisory discusses the following software.
|Windows 7 for 32-bit Systems Service Pack 1|
|Windows 7 for x64-based Systems Service Pack 1|
|Windows Server 2008 R2 for x64-based Systems Service Pack 1|
|Windows Server 2008 R2 for Itanium-based Systems Service Pack 1|
|Windows 8 for 32-bit Systems|
|Windows 8 for x64-based Systems|
|Windows Server 2012|
|Server Core installation option|
|Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)|
|Windows Server 2012 (Server Core installation)|
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (November 12, 2013): Advisory published.