Internet Explorer-hosted applications that have managed controls and No Touch deployment may not work correctly after you install security update 2960358

Symptoms
After you install the update that corresponds to Microsoft Security Advisory 2960358 for the .NET Framework, Internet Explorer hosted applications that have managed controls and No-Touch deployment applications may not start correctly. This behavior may only occur on Internet Explorer 9, and not on Internet Explorer 10 or Internet Explorer 11. 
Cause
Microsoft Security Advisory 2960358 for the .NET Framework disables the RC4 cipher in Transport Layer Security (TLS), and updates the default from TLS 1.0 to the more secure TLS1.2 protocol. Installing the security update in some cases may result in a failure to establish a connection in order to prevent an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions.
Workaround
As recommended in Security Advisory 2960358, customers should test this update for disabling RC4 before implementation in their environments. Although most applications will not be affected by this change, if an Internet Explorer-hosted managed application no longer works correctly, consider the following options:
  • Move away from No-Touch and use ClickOnce where applicable.
  • Disable RC4 on the computer. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
    245030 How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
    The registry key setting can be found here:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 <suite>

    "Enabled"=dword:0
Affected products

The information in this article applies to:


  • Microsoft .NET Framework 2.0 SP2
  • Microsoft .NET Framework 3.5 
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4
  • Microsoft .NET Framework 4.5
  • Microsoft .NET Framework 4.5.1
  • Microsoft .NET Framework 4.5.2
Security update patch bulletin .NET Framework for Disabling RC4 in .NET TLS
Properties

Article ID: 2978675 - Last Review: 08/15/2014 21:17:00 - Revision: 2.0

  • KB2978675
Feedback