Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Microsoft Under Fire for Shipping "Dangerous, Insecure Software" that Helped Cripple US Hospital Network



Microsoft Under Fire for Shipping "Dangerous, Insecure Software" that Helped Cripple US Hospital Network. Senator Ron Wyden has accused Microsoft of shipping "dangerous, insecure software" that helped cybercrooks cripple one of America's largest hospital networks.

  • Senator Ron Wyden accuses Microsoft of shipping "dangerous, insecure software" that facilitated a ransomware attack on Ascension's hospital network.
  • The attack was made possible by Microsoft's default configurations and outdated encryption algorithms.
  • A contractor's innocent search led to the download of malware, which attackers used to escalate privileges and deliver ransomware.
  • Ascension reported 5.6 million patient records stolen due to the breach, with devastating consequences for patients and staff.
  • Micrsoft has been criticized by Wyden for its lack of urgency in addressing this issue despite knowing about it for years.
  • Wyden accuses Microsoft of prioritizing profit over security and calls for regulators to investigate and hold the company responsible.



    • Senator Ron Wyden has accused Microsoft of shipping "dangerous, insecure software" that helped cybercrooks cripple one of America's largest hospital networks. The attack on Ascension, a Catholic nonprofit that runs over 140 hospitals across the US, was facilitated by Microsoft's default configurations and the use of outdated encryption algorithms.

    The case began to unravel when Wyden's office obtained new information from Ascension about the ransomware attack. It appears that a contractor using a company laptop ran a Bing search and clicked on a malicious result, which downloaded malware onto their device. The attackers then used well-known weaknesses in Microsoft's default configurations to escalate privileges, move laterally through the network, and deliver ransomware across thousands of machines.

    The attack had devastating consequences for Ascension, disrupting surgeries, forcing doctors and nurses to revert to pen and paper, and leading to the theft of personal and medical data belonging to roughly 5.6 million patients. This breach is just one example of the risks posed by Microsoft's default configurations, which Wyden argues are stacked against its users.

    Wyden points to a decades-old vulnerability known as "Kerberoasting" as a key factor in the breach. The attack relies on the fact that Microsoft continues to use RC4 as its default encryption algorithm, a choice security researchers have warned against for years. Although more secure options like AES exist, Redmond hasn't made the switch, a decision Wyden argues "needlessly exposes its customers to ransomware and other cyber threats."

    This is not an isolated incident. Wyden has previously criticized Microsoft for its lack of urgency in addressing this issue, despite having known about it for years. He notes that a promised patch to disable RC4 by default has yet to materialize nearly a year after being announced. Instead, the company has buried its security guidance in an obscure Friday blog post, rather than proactively warning customers.

    Wyden also argues that Microsoft's defaults are against its users, pointing out that password policies do not enforce the long, complex passwords needed to resist Kerberoasting attacks. Many customers are unaware of the risk until it is too late, and Wyden accuses the software giant of putting profit over security.

    Microsoft has been accused of this before. In 2023, a federal review board blamed Microsoft's inadequate security culture for a hack of US government email accounts by suspected Chinese spies. Because Microsoft dominates the enterprise operating system market, Wyden warned, its decisions set the baseline for security across government and critical infrastructure – and its failings put everyone at risk.

    Wyden is calling on the Federal Trade Commission (FTC) to investigate Microsoft and hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software. He wants regulators to compel Microsoft to ship secure defaults, deliver the long-delayed RC4 update, and provide plain-English guidance to customers about the risks they face.

    This case is a reminder that not everyone is convinced that Microsoft is serious about change. As the company promises a new "secure by design" era under its Secure Future Initiative, Wyden's letter serves as a sharp reminder of the need for accountability. Whether the FTC decides to act may determine if this is just another round of public shaming or the start of a much deeper reckoning for one of the most powerful companies in tech.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Microsoft-Under-Fire-for-Shipping-Dangerous-Insecure-Software-that-Helped-Cripple-US-Hospital-Network-ehn.shtml

  • https://go.theregister.com/feed/www.theregister.com/2025/09/11/wyden_microsoft_insecure/


    • Published: Thu Sep 11 09:21:34 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us