A prominent US senator has called on the Federal Trade Commission to investigate Microsoft for “gross cybersecurity negligence,” citing the company’s continued use of an obsolete and vulnerable form of encryption that Windows uses by default.
In a letter to FTC Chairman Andrew Ferguson, Sen. Ron Wyden (D–Ore.) said an investigation his office conducted into the 2024 ransomware breach of the health care giant Ascension found that the default use of the RC4 encryption cipher was a direct cause. The breach led to the theft of medical records of 5.6 million patients.
It’s the second time in as many years that Wyden has used the word “negligence” to describe Microsoft’s security practices.
“Dangerous software engineering decisions”
“Because of dangerous software engineering decisions by Microsoft, which the company has largely hidden from its corporate and government customers, a single individual at a hospital or other organization clicking on the wrong link can quickly result in an organization-wide ransomware infection,” Wyden wrote in the letter, which was sent Wednesday. “Microsoft has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software.”
RC4 is short for Rivest Cipher 4, a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. It was a trade-secret-protected proprietary cipher until 1994, when an anonymous party posted a technical description of it to the Cypherpunks mail list. Within days, the algorithm was broken, meaning its security could be compromised using cryptographic attacks. Despite the known susceptibility to such attacks, RC4 remained in wide use in encryption protocols, including SSL and its successor TLS, until about a decade ago.
Microsoft, however, continues to support RC4 as the default means for securing Active Directory, a Windows component that administrators use to configure and provision user accounts inside large organizations. While Windows offers more robust encryption options, many users don’t enable them, causing Active Directory to fall back to the Kerberos authentication method using the vulnerable RC4 cipher.
In a blog post published Wednesday, cryptography expert Matt Green of Johns Hopkins University said continued support of Kerberos and RC4—combined with a common misconfiguration that gives non-admin users access to privileged Active Directory functions—opens the networks to “kerberoasting,” a form of attack that uses offline password-cracking attacks against Kerberos-protected accounts that haven’t been configured to use stronger forms of encryption. Kerberoasting has been a known attack technique since 2014.
