Is Microsoft putting US national security at risk? One senator has made that claim and asked for regulators to investigate the tech giant for "gross cybersecurity negligence".
Ron Wyden, a Democratic senator from Oregon, has written to the chair of the Federal Trade Commission (FTC) calling for an investigation into Microsoft's cyber practices, in particular over attacks that target critical infrastructure.
Wyden said it was time to "hold Microsoft responsible for its gross cybersecurity negligence," specifically referencing the 2024 ransomware infection of non-profit health care provider Ascension as well as the recent SharePoint flaw.
"I urge the FTC to investigate Microsoft and hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the US government and to critical infrastructure entities, such as those in the US healthcare sector," Wyden wrote in his letter to FTC Chair Andrew Ferguson.
Wyden has previously called for the FTC and other US regulators to "take action" against Microsoft over a cyber attack linked to China.
Time for Microsoft to end RC4?
Wyden noted that the hackers that targeted Ascension used a technique called Kerberoasting to access privileged accounts on Microsoft Active Directory. A report in 2023 saw a 583% jump in attacks using the technique.
"This hacking technique leverages Microsoft’s continued support by default for an insecure encryption technology from the 1980s called RC4 that federal agencies and cybersecurity experts, including experts working for Microsoft, have for more than a decade warned is dangerous," Wyden wrote.
RC4 refers to Rivest Cipher 4 — also known as ARC4 or ARCFOUR — a type of stream cipher that became widely used thanks to its speed and simplicity.
But since its introduction in the mid 1990s, serious flaws have been found and the use of the outdated encryption standard is now actively discouraged – including by Microsoft itself.
Microsoft hits back
The tech giant still technically allows its use, however. A spokesperson for Microsoft told ITPro the outdated encryption standard Wyden is referring to isn't widely used.
"RC4 is an old standard and we discourage its use both in how we engineer our software and in our documentation to customers – which is why it makes up less than .1% of our traffic," the spokesperson said.
"However, disabling its use completely would break many customer systems," a spokesperson said. "For this reason, we’re on a path to gradually reduce the extent to which customers can use it, while providing strong warnings against it and advice for using it in the safest ways possible."
Microsoft is disabling RC4 by default in some products as of the beginning of next year, with "additional mitigations" for those still using it, the spokesperson added.
Regardless, Wyden criticized Microsoft for not making the Advanced Encryption Standard required by default in Windows.
"According to Microsoft, this threat can be mitigated by setting long passwords that are at least 14 characters long, but Microsoft’s software does not require such a password length for privileged accounts," he added.
Further criticism
The senator raised the issue with Microsoft in a meeting at the end of July 2024 about the Kerberoasting technique and the problematic default settings. The following October, Microsoft published a blog post about the hacking technique and said it was working on an update to disable RC4 — but so far that's yet to happen.
"While my staff specifically requested that Microsoft publish and publicize clear guidance in plain English so that senior executives would understand this serious, avoidable cyber risk, Microsoft instead published a highly technical blog post on an obscure area of the company’s website on a Friday afternoon," Wyden continued, adding that Microsoft failed to publicise the post or to warn about default settings.
"As such, it is highly likely that most companies, government agencies, and nonprofits that are Microsoft customers remain vulnerable to Kerberoasting," he added.
Beyond the Ascension attack, Wyden also pointed the finger at Microsoft over attacks against US government agencies by Chinese actors in July 2023 and the SharePoint flaw.
"Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Three things you need to know about the EU Data ActNews A host of key provisions in the EU Data Act will come into effect on 12 September, and there’s a lot for businesses to unpack.
-
LNER warns customers to remain vigilant after personal data exposed in cyber attackNews LNER has warned customers to remain vigilant for social engineering attacks after a cyber attack on the rail operator exposed personal data.
-
Microsoft touts new Copilot features in Excel, but says you shouldn’t use them if you want accurate resultsNews Microsoft has warned against using new AI features in Excel for “tasks with legal, regulatory, or compliance implications” – so when can you use it?
-
A senior Microsoft exec says future Windows versions will offer more interactive, ‘multimodal’ experiencesNews With speculation over a Windows 12 reveal mounting, a senior company figure claims the new operating system will mark a step change for users
-
Microsoft says AI is finally having a 'meaningful impact' on developer productivity – and 80% 'would be sad if they could no longer use it'News Researchers at Microsoft wanted to demystify how AI is being used by software developers – their findings show the benefits are finally becoming clear.
-
Microsoft’s botched August updates wiped SSDs, now it’s breaking PC resets and recoveries on WindowsNews An out-of-band patch has been issued by Microsoft to fix a flaw introduced by its August update
-
A Windows 11 update bug is breaking SSDs – here’s what you can do to prevent itNews Users first began reporting the Windows 11 update bug last week
-
What Thomas Dohmke’s departure means for GitHubNews Thomas Dohmke won't be replaced as CEO at GitHub, with remaining company execs reporting directly to Microsoft's CoreAI division.
-
Microsoft and CISPE make ‘significant breakthrough’ with software licensing concessions – critics say it's all just 'smoke and mirrors'News European cloud providers can now offer Microsoft software on a pay-as-you-go software basis
-
The NCSC just urged enterprises to ditch Windows 10 – here’s what you need to knowNews The UK cyber agency says those that haven’t migrated to Windows 11 should do so immediately
