August 9, 2016 10:00 am

RC4 is now disabled in Microsoft Edge and Internet Explorer 11

In September 2015, Microsoft announced the end-of-support for the RC4 cipher in Microsoft Edge and Internet Explorer 11 in 2016, as there is consensus across the industry that RC4 is no longer cryptographically secure.

Today, we are releasing KB3151631 with the August 9, 2016 cumulative updates for Windows and IE, which disables RC4 in Microsoft Edge (Windows 10) and IE11 (Windows 8.1 and newer). This matches the most recent versions of Google Chrome and Mozilla Firefox.

Update (10/11): We are aware of an issue that may cause RC4 to remain enabled on Windows 7 devices after installing this update. This issue has been addressed as of the 10/11 IE Cumulative Update.

What is RC4?

RC4 is a stream cipher that was first described in 1987, and has been widely supported across web browsers and online services. Modern attacks have demonstrated that RC4 can be broken within hours or days. The typical attacks on RC4 exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. In February 2015, these new attacks prompted the Internet Engineering Task Force to prohibit the use of RC4 with TLS.

Previously, Microsoft Edge and Internet Explorer 11 allowed RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, RC4 is now entirely disabled by default for Microsoft Edge and Internet Explorer users on Windows 8.1 and Windows 10.

How can I prepare?

We expect that most users will not notice this change. The percentage of insecure web services that support only RC4 is known to be small and shrinking.

If your web service relies on RC4, you will need to take action. Since 2013, Microsoft has recommended that customers enable TLS 1.2 in their services and remove support for RC4. For additional details, please see Security Advisory 2868725.  For supported ciphers, and additional information on ciphers, see Cipher Suites in TLS/SSL (Schannel SSP).

– Brent Mills, Senior Program Manager, Windows Experience

Updated October 17, 2016 4:05 pm

Join the conversation

  1. It seems there is something wrong with the IE Patch for W7/2008R2.
    Windows 7 (and 2008R2) still be able to access RC4 only servers after installing this patch,
    while Windows 8.1 (and 2012R2) are blocking such server after installing this patch.
    And why not also 2012 (“R1” / IE10 get such RC4 block)

    • Hi Malte – thank you for reporting this, we’re aware and are investigating the issue.

    • Following up here – we are aware of an issue that may cause RC4 to remain enabled on Windows 7 devices after installing this update. We are working on a fix and will update this article when it is available.

    • The fix for this issue is now available in the 10/11 cumulative update. Please let us know if you continue to see issues!

  2. It looks like I’m still able to connect with RC4 on IE11 in Windows 8.1 after the patch…
    Properties of the page (hosted on Windows 2003SP2): TLS 1.0, RC4 with 128 bit encryption (High); RSA with 4096 bit exchange.