IE security update KB 4012204 trips a Logjam security test warning

Topic

New Reply

Interesting post from @Sportsfan: After installing the IE security update 4012204, IE 11 no longer passes the Logjam security test at Qualys SSL Labs.
[See the full post at: IE security update KB 4012204 trips a Logjam security test warning]

Reply | Quote

Replies

I have the patch installed on W7/32. I ran the test on my system and there was no Logjam vulnerability found, so the patch is working. Passed 100%.

Reply | Quote

The problem was with IE11. Were you using IE11 or another browser?

Reply | Quote

I was using IE11 at the time.

1 user thanked author for this post.

PKCano

Reply | Quote

Installed the patch and the hotfix yesterday on Win 7 Pro / 64 and it also passes the Logjam security test.

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

The problem was with IE11. Were you using IE11 or another browser?

Reply | Quote

Internet Explorer 11 on Windows 10 1607 shows for me that it is not vulnerable to the Logjam attack.

1 user thanked author for this post.

PKCano

Reply | Quote

Internet Explorer 11 on Windows 8.1 passes the Logjam test.  I didn’t install the hotfix since I didn’t know there was one.  I installed only KB4012204.

 

1 user thanked author for this post.

PKCano

Reply | Quote

I’m running Windows 7 x64 Ultimate with both IE 11 and SlimJet (Chrome knockoff with all Google telemetry removed and additional privacy and security enhancements added).

The mentioned SSL Labs test page reports that SlimJet is not vulnerable to LogJam vulnerability, but reports my IE 11 vulnerable.

I have only the “March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1” (KB 4012212) and “MS17-006 Security update for Internet Explorer March 14, 2017” (KB 4012204) and Office updates installed.

I rarely if ever use IE 11 (SlimJet(*) is my preferred default browser) but do not like that IE 11’s security has gone backwards.

Where is this HotFix that Steven S. mentioned in his post? I’d like to give it a try!

—————————–
(*) https://www.slimjet.com/

Reply | Quote

Oh dear, this is peculiar. Two machines, both Win7 64 bit home premium, both with the Group B updates. I tried Pale Moon, and got a “test fail” since Pale Moon doesn’t support SSL by default. Tried the manual test for Logjam, it’s working. That’s stable.

It gets odder with IE 11 (current upgrades and hotfix).

First pass on desktop; failed Logjam

Tested on laptop; passes (Never used IE on it before; Home page at MSN with Bing Bar active.)

Second test on desktop; passes.

Subsequent tests; TLS 1.2 not always showing as active. On the other hand, I’m on satellite internet, so my query/response can be a problem. On the gripping hand, no more Logjam failures on any browser. (Pale Moon says why it won’t connect; IE11 just won’t connect.)

I’ll use IE a bit when something doesn’t work right on Pale Moon; I’m running once a week or so, and I’ll do this with a site I trust.

Have I mentioned that I’m getting tired of Windows?

Reply | Quote

Pete, I just (re)checked my Pale Moon x64 27.2.1 on the Qualys site and it’s fine, both on the native and on the Firefox user agents. SSL is not needed (insecure), TLS is.

Reply | Quote

Sorry, forgot to log in. The occasional “TLS 1.2 not active” message was on IE-11. Pale Moon had consistent results (27.2.1, default security settings, Firefox user agent).

Reply | Quote

I found with satellite internet that the speed-of-light lags can cause problems if there’s a lot of query-and-response traffic. It can take a couple of tries for a few websites. Pale Moon 27.2.1, default security protocol settings.

Reply | Quote

Installed the 4012204 on my IE 11 on Win 7 64bit and the 4012212 security only and we DO pass the logjam test at Qualys SS Labs.   Installed 4012204 first, then 4012212, then MSRT last.

Reply | Quote

For a fully patched IE 11 on Win 7 Pro x64: passes all tests at https://www.ssllabs.com/ssltest/viewMyClient.html (as does Firefox).

Question to those for whom IE 11 is failing: under Tools —> Internet Options —> Advanced —> Security, are both “Use SSL 2.0” and “Use SSL 3.0” unchecked?  (if not, then try unchecking them, restart the browser and run the tests again; only the “TLS” boxes should be checked).

2 users thanked author for this post.

Pepsiboy, PKCano

Reply | Quote

That was the first thing I looked for — both the SSL 2.0 and 3.0 boxes were unchecked. I also don’t use any AV that uses MITM.

When I installed the patches, I did 4012204 first, then a reboot. It failed the Logjam test. Then I added the hotfix, which didn’t ask for a reboot; it still failed the Logjam test. I added the remaining security patch last and rebooted, but it made no difference.

I always run the Qualys test to check for problems after updating any browser, which is how I happened to notice the issue with IE and this month’s patches.

Windows 10 Home 64-bit

Reply | Quote

Windows 7 64 bit Home Premium Server 2008 R2.
I am Group B.
I applied the March Security only patch KB4012212 and the Malicious Tool.

 

 

I’m not passing the logjam test either.
I did a little research and found out that back in May 2015 when the logjam problem was a problem, MS apparently put out a patch for the vulnerability.  It was KB3061518 listed as important.  At that time it is reported that IE11 was the only browser that was fixed.
My records show that at that time, I was only installing “critical” updates, so my records show that I put that update on “hold”, which means I “hide” it. (I know, I know, not suppose to hide updates)
I looked into my hidden updates  and it was not there.
I looked into my installed updates, and it was not there.
I looked into the Microsoft Update Catalog and it was there.
I did check and my SSL 2.0 and SSL 3.0 are unchecked.

I’m thinking that maybe I’m not passing the test because I do not have the
KB3061518 patch installed.

I was wondering if those who are not also passing the test do not have KB3061518 installed,
and that the March IE Cumlative update and hot fix have nothing to do with it.

What do you all think?

Reply | Quote

In checking, KB3061518 had been installed on 2015.12.07, but a quick web search showed that there had been some problems associated with it; here’s a short article by Woody: http://www.infoworld.com/article/2922320/microsoft-windows/windows-schannel-patch-kb-3061518-causing-problems-with-dsls-catia-and-enovia.html (2015.06.15).  I’m Group B, BTW.

Reply | Quote

I have installed KB4012204, did restart, installed KB4016446, did restart. So far, mine passes the Logjam Test. I’m running Win 7 HP SP1 64bit With IE 11. HOPEFULLY nothing will turn up.

Thanks to all for the tips and advice. VERY helpful.

Dave

Reply | Quote

Ok, I did more research. Kb3061518 was superceded many times over, so I’m ok with that.
I did download the IE11 Cumulative Kb4012204 update first.
Rebooted then downloaded and applied the Hot fix patch Kb401664.

Did the Logjam test and passed.

Seriously, after spending hours of this……
Group A is looking better to me.

Reply | Quote

No problems here. It passed the Qualys site tests.

Reply | Quote

I haven’t yet installed any update this month (other than the MSRT), but will be doing so as Group A in a day or two.  Meanwhile I thought I’d run the Logjam test (which I’d not heard of before and know nothing about so hadn’t done previously) on both my Windows 7 desktops with identical versions of IE11 and Chrome.

Both machines passed using Chrome.

The first machine passed using IE11, the second one failed, and then re-running the test on the first one again it too failed.

I’ll run the test again once I’ve installed the roll-up update KB4012215.

Reply | Quote

I passed the Logjam test in all 5 scenarios that I tested with Internet Explorer 11:

1. baseline: a years-old Internet Explorer version (IE v11.0.20): not vulnerable
2. baseline + kb4012215 (IE v11.0.40): not vulnerable
3. baseline + kb4012215 + kb4016446 (IE v11.0.40): not vulnerable
4. baseline + kb4012204 (IE v11.0.40): not vulnerable
5. baseline + kb4012204 + kb4016446 ( IE v11.0.40): not vulnerable

Reply | Quote

Do we know whether some are truly vulnerable to the Logjam issue, or if this is just an artifact of how Qualys tests for Logjam?

Reply | Quote

One factor that could perhaps be affected tests: your antivirus program or other HTTPS interception software/hardware. See https://www.askwoody.com/forums/topic/ta17-075a-https-interception-weakens-tls-security/ and http://www.infoworld.com/article/3182192/security/warning-your-networking-tools-are-weakening-your-web-security.html for more details.

2 users thanked author for this post.

PKCano, woody

Reply | Quote

Google and Mozilla’s message to AV and security firms: Stop trashing HTTPS

Notice that some products listed in this link do affect Logjam.

2 users thanked author for this post.

PKCano, woody

Reply | Quote

I’m confused.  Will someone please explain to me why anyone is using Internet Explorer 11 and what is the ” Logjam security test”.

1 user thanked author for this post.

Charlie

Reply | Quote

Logjam: the latest TLS vulnerability explained (2015)

2 users thanked author for this post.

Charlie, SueW

Reply | Quote

From stackexchange.com:
What is Logjam and how do I prevent it?

2 users thanked author for this post.

Charlie, SueW

Reply | Quote

An alternate Logjam browser test: https://weakdh.org/test.html

Reply | Quote

The link in the first post also has a manual test for Logjam:

“To test manually, click here. Your user agent is not vulnerable if it fails to connect to the site.”

Reply | Quote

Okay, THIS is weird!

Previously, the SSL Labs test was reporting that my IE 11 was vulnerable.

Today however, it’s reporting I’m not vulnerable!

I also tested using the alternate Logjam browser test and it too now passes!

WT*?

(me: confused)

EDIT Html to text

1 user thanked author for this post.

Noel Carboni

Reply | Quote

I recommend to anyone that’s not passing a Logjam test to try the other Logjam tests and see if all three are in agreement.

The three Logjam tests are:

1. https://www.ssllabs.com/ssltest/viewMyClient.html

2. https://www.ssllabs.com:10445/ (You pass the test if and only if you cannot connect to that page)

3. https://weakdh.org/test.html

If you’re not passing the Logjam tests, please post your antivirus product name (if any) and version.

Reply | Quote

From reading the various posts, I believe that test #1 may be unreliable.

Reply | Quote

Technical info about test #1: From SSL Labs 1.17: RC4, Obsolete Crypto, and Logjam:

“That said, we did extend our SSL/TLS Client Test to detect when user agents accept Diffie-Hellman key exchange that has only 512 bits of security.”

Reply | Quote

Another Logjam test:

4. Click on “dh512” at https://badssl.com/. (You pass the test if and only if you cannot connect when you click on “dh512”)

Reply | Quote

I`m  group A,  Win 7 , 64 home premium,  Mozilla 52,  down loaded the March roll up.  Took your  three tests and passed all of them.  Including not being able to get on the page you mentioned.

Reply | Quote

I thought that for security reasons that people should not be using Internet Explorer 11 and that this has been the case for a long time.  It was my understanding  that we should keep it on our computers and to set it to update  but not use it.

Perhaps Woody could also comment on this.

 

Reply | Quote

That’s precisely correct.

Microsoft’s discontinuing IE. What more need be said?

Reply | Quote

Personally I think it’s a loss to the world that IE is being discontinued.

Why?

Because it has the most configurable, controllable security model of them all. Out of the box IE’s configuration is quite permissive – overly so – which is why it’s gotten a bad rep! But in terms of having been for a very long time the biggest target Microsoft had to design in a lot of things that make it quite possibly the MOST secure browser when the settings are changed to their most secure positions.

Edge is simply not nearly as configurable, and the dumbed-down default settings are not as secure as the most restrictive of IE settings.

So where does that leave us?

Chrome or Firefox (or a derivative of Firefox). Not bad choices, but not best-in-show either. I’m sorry to say that to fans of those packages.

IE can still be a formidable browser with the tightest security settings while still providing a pleasant browsing experience.

woody wrote:

Microsoft’s discontinuing IE. What more need be said?

Now Woody, at first blush that statement seems to be reasonable, but think about it a bit… What other decisions has Microsoft made lately that are good for us?

IMO, IE should not be counted out – yet. It’s still going to be supported for quite a few years.

-Noel

1 user thanked author for this post.

Elly

Reply | Quote

My test results for tests #1-4 for Internet Explorer 11 on Windows 7 x64 with March 2017 monthly rollup installed:

Test 1: Passed

Test 2: Passed

Test 3: Passed

Test 4: Passed

Reply | Quote

By the way, lest people take what the SSLLabs.com web site tells them as gospel, if you run the test several times in a row you will find that it can produce different results.

An unpatched IE will be shown as “vulnerable” sometimes, but not others, with no configuration changes…

———————————————————————————————–

The worst thing people can do is base decisions off flawed test results. Always be skeptical of what you are seeing on the Internet!

-Noel

2 users thanked author for this post.

Elly, Sportsman

Reply | Quote

Today I reinstalled kb 4012204 without the hotfix and rebooted. IE 11 FAILED the Qualys automated and manual Logjam tests, but it PASSED the test at https://weakdh.org/test.html. IE 11 also PASSED the dh512 test at badssl.com but FAILED the the dh small subgroup and dh composite tests. In contrast, Firefox 52 passes all tests, even the dh 1024 and dh 2048 test.

Since I think the risk of an unpatched RCE exploit is worse than the small likelihood of encountering a bad server vulnerable to Logjam, I have decided to keep the IE update for now.

Windows 10 Home 64-bit

Reply | Quote

I am surprised that test #2 could differ from test #4 in a given configuration. Just to make sure, when you do test #2, you are able to view the page or not?

Reply | Quote

I believe that you may have misinterpreted pass and fail for tests #2 and #4. For either of those two tests, if you can view the page, you fail. If the browser doesn’t show the page, you pass. To recap, test #2 is visiting https://www.ssllabs.com:10445/, and test #4 is visiting https://dh512.badssl.com/.

Reply | Quote

By “pass” I meant the page said it wasn’t vulnerable or didn’t load. By “fail” I meant the page said it was vulnerable or that the dh 512 (etc.) loaded.

Oddly enough, about 3 hours after I reinstalled the kb and got the “vulnerable” message from Qualys, IE 11 now passes all the tests except the dh small subgroup and dh composite from badssl.com. I didn’t do anything else with the computer during that time except browsing with Firefox.

I’m not sure if there’s some peculiarity in the Qualys test, or if IE 11 needed time after the reboot to change or finalize some settings.

Windows 10 Home 64-bit

Reply | Quote

Can you please say “connects” or “doesn’t connect” for each of these pages, for both IE 11 and Firefox: a) https://dh480.badssl.com/, b) https://dh512.badssl.com/, c) https://dh1024.badssl.com/, d) https://dh2048.badssl.com/, and e) https://www.ssllabs.com:10445/

Here are my results for Internet Explorer 11 (fully patched):

a) doesn’t connect

b) doesn’t connect

c) connects

d) connects

e) doesn’t connect

Here are my results for Firefox v52.0.2:

a) doesn’t connect

b) doesn’t connect

c) connects

d) connects

e) doesn’t connect

Reply | Quote

IE 11, patched (but no hotfix):

a) doesn’t connect

b) doesn’t connect

c) connects

d) connects

e) doesn’t connect

FF 52.0.2 (with SSleuth enabled):

a) doesn’t connect

b) doesn’t connect

c) doesn’t connect

d) doesn’t connect

e) doesn’t connect

Windows 10 Home 64-bit

Reply | Quote

Your Internet Explorer results match mine, and seem to indicate that your Internet Explorer is not vulnerable to Logjam. Perhaps you could ask at https://community.qualys.com/ why these test results conflict with some of your previous Internet Explorer Logjam tests.

Your Firefox results also seem to indicate that your Firefox is not vulnerable to Logjam, but your relevant Firefox settings may be too restrictive since you couldn’t connect in tests c and d.

Reply | Quote

Test results for a years-old version of Internet Explorer 11 on Windows 7 x64 that has had few (if any) security-related Windows updates installed since service pack 1:

Test 1: Passed

Test 2: Passed

Test 3: Passed

Test 4: Passed

 

Test results with same configuration as last test except with March 2017 cumulative Internet Explorer update installed:

Test 1: Passed

Test 2: Passed

Test 3: Passed

Test 4: Passed

Reply | Quote

OK; I’m group B. I failed the SSLabs test after installing both Win7 updates. I uninstalled them and passed. Yesterday I ran the security only update and failed again. I then update IE, downloading both updates from Woody’s links. I did a reboot after each installation, and still failed. I said enough, shut down my machine, and went to bed. Today I went and checked on the SSLLabs site, and was surprised to find that I passed. Also passed at weakdh.

justaned

Reply | Quote

For what it’s worth: passed all the tests before and after KB4012204.

Win 7 pro 64 sp1 IE 11 MS Security Essentials

Does that mean I don’t need the hotfix KB4016446?

Reply | Quote

You need KB4016446 only if you’re having the problem documented at https://support.microsoft.com/en-us/help/4016446/forms-in-dynamics-crm-2011-are-not-displayed-correctly-after-kb-401307.

1 user thanked author for this post.

walker

Reply | Quote

OK, thanks. Thanks to everyone else, too. I’m a newbie here. Great site, extremely useful.

Reply | Quote

@anonymous:    Where did you get the information about  KB4016446?   I haven’t seen anything relating to the KB4016446 (the Hot Fix) being related to the one in the link you provided.    Thank you for any information you may be able to provide.

Reply | Quote

@walker: I don’t know of any problems with kb4016446.

From https://support.microsoft.com/en-us/help/4016446/forms-in-dynamics-crm-2011-are-not-displayed-correctly-after-kb-401307:

‘This update is required only if you are experiencing the symptoms that are described in the “Symptoms” section’

Reply | Quote

@anonymous:   There are quite a few who are “anonymous”, and I only just now received your reply.    Thank you for the information you provided.   I now have several replies, and have everything I need.    With my lack of computer skills, I can use all of the information I can get.   Thank you again for the message.    I do appreciate you taking the time to reply.  Thank you once again!  

Reply | Quote

Not to complicate things but…

There’s a difference in behavior between Internet Explorer on Win 8.1 vs. 10.

Win 8.1:

Win 10:

-Noel

Reply | Quote

Here are two more Logjam tests (these are the development versions corresponding to tests 1 and 2):

5. https://dev.ssllabs.com/ssltest/viewMyClient.html

6. https://dev.ssllabs.com:10445/ (You pass the test if and only if you cannot connect to that page)

For quick reference, here are the other 4 Logjam tests already mentioned in this thread:

1. https://www.ssllabs.com/ssltest/viewMyClient.html

2. https://www.ssllabs.com:10445/ (You pass the test if and only if you cannot connect to that page)

3. https://weakdh.org/test.html

4. https://dh512.badssl.com/ (You pass the test if and only if you cannot connect to that page)

I have now personally seen these inconsistencies involving the ssllabs.com tests (1, 2, 5, 6):

a) Test 1 is inconsistent between various runs. I also noticed that the list of cipher suites can be inconsistent between various runs.

b) Test 1 is inconsistent with test 2.

c) Test 1 is inconsistent with test 5.

d) Test 2 gives different results depending on whether it’s clicked on page of test 1 vs. opened in a separate tab.

e) Test 2 is inconsistent with test 6.

What a mess! I advise to consider tests 1, 2, 5, and 6 to be unreliable. Perhaps somebody can clear things up at https://community.qualys.com/.

 

Reply | Quote

(I am the same poster as post #106354)

The fact that I sometimes was able to view the page https://www.ssllabs.com:10445/ (which supposedly uses weak crypto settings on purpose) when I clicked on the “manual” link from page https://www.ssllabs.com/ssltest/viewMyClient.html on a fully patched Windows 7 x64 computer (Group A, without kb4016446 installed) raises the possibility that Internet Explorer exhibits inconsistent behavior on the same computer. Another possibility is that the web server that serves page https://www.ssllabs.com:10445/ sometimes doesn’t use the weak crypto settings that it’s supposed to use. My antivirus is set to not do HTTPS interception, so that’s probably not a factor.

Reply | Quote

According to https://community.qualys.com/docs/DOC-5737-ssl-labs-changelog, on April 3, 2017, a new version of https://www.ssllabs.com/ssltest/viewMyClient.html was released. You may wish to retest.

Also, if you are able to connect to https://www.ssllabs.com:10445/ (which means that you fail that test), and you believe this is wrong, for troubleshooting purposes please post the Connection used.

 

Reply | Quote

My patched IE (KB4012204) now consistently passes the LogJam tests on the updated ssllabs viewMyClient.html pages.

-Noel

Reply | Quote

I have tried test 1 and test 2 (clicked on from Logjam “manual” link of page of test 1) 3 different times today on a fully patched Windows 7 computer using Internet Explorer 11. The first two times I passed both tests. The third time I failed both tests.

The cipher suite used for the failed test 2 (screenshot) was “TLS 1.2, AES with 128 bit encryption (High); ECDH_P256 with 256 bit exchange.” The “ECDH” part of that stands for Elliptic curve Diffie–Hellman, which indicates that the cipher suite used in the connection wasn’t actually vulnerable to Logjam; reference: https://weakdh.org/sysadmin.html. Thus, I believe that the result from the failed test 2 is incorrect.

My advice from yesterday has not changed: I advise to consider tests 1, 2, 5, and 6 to be unreliable.

P.S. I withdraw my claim from yesterday that “I also noticed that the list of cipher suites can be inconsistent between various runs.”

Reply | Quote