Ethical Hacking News
U.S. Senator Ron Wyden Accuses Microsoft of Gross Cybersecurity Negligence, Demands FTC Investigation
A U.S. Senator has accused Microsoft of gross cybersecurity negligence, citing a prolonged failure to address well-documented security risks in its products. The incident involved a ransomware attack on a healthcare organization, highlighting the vulnerability of critical infrastructure due to inadequate security measures.
The U.S. Senator Ron Wyden has accused Microsoft of gross cybersecurity negligence due to prolonged failure to address well-documented security risks in its products. A recent ransomware attack on a healthcare organization highlighted the vulnerability of critical infrastructure due to inadequate security measures. Senator Wyden's letter cites Microsoft's de facto monopolization of the enterprise operating system market as a serious national security threat. Microsoft's prolonged failure to address security risks led to the 2024 Ascension Health ransomware breach, compromising data from 5.6 million patients. Microsoft continues to use RC4, an insecure algorithm with known vulnerabilities, despite being urged to remove it by Senator Wyden's team. The FTC has not publicly responded to Senator Wyden's request yet, leaving Microsoft vulnerable to further scrutiny and pressure from lawmakers.
In a recent letter to the Federal Trade Commission (FTC), U.S. Senator Ron Wyden has accused Microsoft of gross cybersecurity negligence, citing a prolonged failure to address well-documented security risks in its products. The incident involved a ransomware attack on a healthcare organization, highlighting the vulnerability of critical infrastructure due to inadequate security measures.
Senator Wyden's letter comes after the 2024 Ascension Health ransomware breach, which compromised data from 5.6 million patients. The breach was attributed to a "Kerberoasting" attack, which allows hackers to steal encrypted service account credentials from Microsoft Active Directory using weak or easy-to-guess passwords.
The Senator has expressed certainty that more high-impact incidents will occur unless the FTC intervenes, citing Microsoft's de facto monopolization of the enterprise operating system market as a serious national security threat. Wyden explicitly frames Microsoft's practices as a gross violation of its duty to provide secure products, which results in devastating consequences for individuals and critical infrastructure.
The incident began when a contractor clicked on a malicious Bing Search result in Microsoft Edge, allowing hackers to carry out the "Kerberoasting" attack. This exploitation took advantage of weak or easy-to-guess passwords, sometimes encrypted with the insecure and deprecated RC4 algorithm, which can be decrypted using readily available brute-force tools.
The Senator highlights Microsoft's prolonged failure to take decisive action to effectively mitigate well-documented security risks in its products, resulting in attacks such as the 2024 Ascension Health ransomware breach. Despite being urged by Senator Wyden's team in July 2024 to warn customers of the dangers of using RC4 and to make AES 128/256 the default setting, Microsoft responded with a blog post published in October that was deemed highly technical and failed to clearly convey the warning to decision-makers within companies.
Microsoft has pledged to strengthen security in its products but continues to use RC4, which is still an option in Kerberos despite being a weak cipher with vulnerabilities that allow recovering plaintext information. The company claims that disabling RC4 completely would break many customer systems.
In response to Senator Wyden's letter, Microsoft spokespersons have stated that they discourage the use of RC4 both in their software engineering and documentation to customers, citing its low usage rate (less than 0.1%). However, they argue that complete removal of RC4 would cause disruptions to customer systems.
Microsoft has assured the Senator's office that it is actively working to gradually remove the algorithm without causing any disruption to customers, warning against its use and providing advice on how to safely use it. The company acknowledges its roadmap to ultimately disable RC4 but emphasizes that this process will require careful planning and consideration of potential impacts.
The FTC has not publicly responded to Senator Wyden's request yet, leaving the tech giant vulnerable to further scrutiny and pressure from lawmakers. As the cybersecurity landscape continues to evolve, it is essential for companies like Microsoft to prioritize security measures and take concrete steps to address vulnerabilities in their products.
In conclusion, the gross cybersecurity negligence of Microsoft has significant implications for national security and critical infrastructure, as highlighted by Senator Ron Wyden's letter. It is crucial that regulatory bodies like the FTC take swift action to investigate these claims and ensure that companies prioritize cybersecurity measures to protect the public interest.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Gross-Cybersecurity-Negligence-of-Microsoft-A-Call-for-Action-by-Senator-Ron-Wyden-ehn.shtml
https://www.bleepingcomputer.com/news/security/us-senator-accuses-microsoft-of-gross-cybersecurity-negligence/
https://www.msn.com/en-us/news/technology/us-senator-wyden-pushes-ftc-to-investigate-microsoft-for-gross-cybersecurity-negligence/ar-AA1Mi4wI
https://cybernews.com/news/us-senator-demands-ftc-investigate-microsoft-cybersecurity-negligence-high-profile-attacks/
Published: Thu Sep 11 14:29:16 2025 by llama3.2 3B Q4_K_M
