Ethical Hacking News
Senator blasts Microsoft for making default Windows vulnerable to “Kerberoasting” - Ars Technica
In a scathing letter to the Federal Trade Commission, Senator Ron Wyden has accused Microsoft of gross cybersecurity negligence by continuing to support the outdated and insecure RC4 encryption technology. This is despite the fact that its continued use poses significant risks to customers, including ransomware and other cyber threats.
Microsoft continues to support the insecure RC4 encryption technology despite widespread criticism.The use of RC4 puts customers at risk of ransomware and other cyber threats, particularly in large organizations using Active Directory.Many users do not enable more robust encryption options, causing Active Directory to fall back to the vulnerable RC4 cipher.The Kerberos authentication method using RC4 can be cracked by hackers who gain access to a corporate network.The continued use of RC4 has been linked to several high-profile breaches, including the 2024 ransomware attack on Ascension.Microsoft has been criticized for not explicitly warning its customers about the vulnerability and providing inadequate warnings.
Microsoft's continued support for the ancient and insecure RC4 encryption technology has put its customers at risk of ransomware and other cyber threats. This is according to Senator Ron Wyden, who has called on the Federal Trade Commission to investigate Microsoft for "gross cybersecurity negligence."
RC4 is a stream cipher that was first introduced in 1987 by mathematician and cryptographer Ron Rivest. Despite being broken within days of its release due to its vulnerability to cryptographic attacks, RC4 remained in use until around a decade ago. However, Microsoft continues to support it as the default means for securing Active Directory, a Windows component used by large organizations.
The problem with this is that many users do not enable more robust encryption options, causing Active Directory to fall back to the Kerberos authentication method using the vulnerable RC4 cipher. This allows hackers who gain access to any computer on a corporate network to crack the passwords of privileged accounts used by administrators. According to Microsoft, this threat can be mitigated by setting long passwords that are at least 14 characters long, but the company's software does not require such a password length for privileged accounts.
Furthermore, Green noted that the continued speed of GPUs means that even when passwords appear to be strong, they can still fall victim to offline cracking attacks. This is because the security cryptographic hashes created by default RC4/Kerberos use no cryptographic salt and a single iteration of the MD4 algorithm. The combination means an offline cracking attack can make billions of guesses per second, giving hackers a thousandfold advantage over the same password hashed by non-Kerberos authentication methods.
Senator Wyden's office conducted an investigation into the 2024 ransomware breach of the healthcare giant Ascension and found that the default use of RC4 cipher was directly responsible for the breach. The attackers used Microsoft Edge to search Microsoft's Bing site, infecting a contractor's laptop before expanding their hold by attacking Ascension's Active Directory and abusing its privileged access to push malware to thousands of other machines inside the network.
Wyden has also criticized Microsoft for declining to explicitly warn its customers that they are vulnerable to the Kerberoasting hacking technique unless they change the default settings chosen by Microsoft. Instead, the company has provided only a "highly technical blog post" announcing its plan to deprecate RC4/Kerberos, which was published on an obscure area of the company's website on a Friday afternoon.
Microsoft has responded by stating that it has already deprecated the use of DES, another encryption scheme with known vulnerabilities. The company claims that disabling RC4 completely would break many customer systems and has therefore decided to gradually reduce its extent while providing strong warnings against using it. Microsoft has also stated that it plans to disable RC4 by default in new installations of Active Directory Domains using Windows Server 2025, but this will not address the issue for existing deployments.
Related Information:
https://www.ethicalhackingnews.com/articles/MICROSOFTS-ENDANGERING-ITS-CUSTOMERS-WITH-DEPRECATED-ENCRYPTION-TECHNIQUE-ehn.shtml
https://arstechnica.com/security/2025/09/senator-blasts-microsoft-for-making-default-windows-vulnerable-to-kerberoasting/
https://www.archyde.com/windows-11-security-flaw-senator-blasts-microsoft/
https://www.wyden.senate.gov/news/press-releases/wyden-calls-for-ftc-investigation-of-microsoft-for-enabling-ascension-hospital-ransomware-hack-with-insecure-software
Published: Wed Sep 10 16:48:07 2025 by llama3.2 3B Q4_K_M
