The technical reality behind the failures: Security experts have long criticized Microsoft’s reliance on outdated encryption standards. “RC4 should have been retired long ago, yet it still lurks in Active Directory and continues to enable attacks like Kerberoasting,” Gogia noted.Microsoft’s justification centered on backward compatibility concerns. “Microsoft’s line has been that switching it off overnight could break older systems,” Gogia explained. “That may be true, but after more than a decade of warnings, the argument has become increasingly difficult to sustain.”Wyden detailed how “Microsoft’s continued support for the ancient, insecure RC4 encryption technology needlessly exposes its customers to ransomware and other cyber threats by enabling hackers that have gained access to any computer on a corporate network to crack the passwords of privileged accounts used by administrators.”
The $20 billion security business: Microsoft’s security division now generates more than $20 billion annually, much of it from features that addressed gaps in the company’s core products. “Features such as advanced logging, which many assumed were part of the core product, sat behind premium licenses until the Exchange Online hack forced Microsoft to expand access,” Gogia observed.Wyden argued that “instead of delivering secure software to its customers, Microsoft has built a multibillion-dollar secondary business selling cybersecurity add-on services to those organizations that can afford it.”This created what enterprise customers described as a double-billing problem. “That’s why CIOs describe the feeling as being billed twice, once for the platform, and again for the peace of mind,” Gogia said.Wyden captured this dynamic with his pointed criticism: “At this point, Microsoft has become like an arsonist selling firefighting services to their victims.”
Broken promises and regulatory pressure: When Wyden’s staff briefed senior Microsoft officials about the Kerberoasting threat in July 2024, the letter added, they “specifically requested that Microsoft publish and publicize clear guidance in plain English so that senior executives would understand this serious, avoidable cyber risk.”Microsoft’s response fell short, publishing guidance as “a highly technical blog post on an obscure area of the company’s website on a Friday afternoon.” The company also promised to release a software update disabling RC4 encryption, but eleven months later, “Microsoft has yet to release that promised security update,” Wyden noted.The regulatory implications remained uncertain. “A full-blown FTC case against Microsoft on the basis of weak defaults still feels unlikely,” Gogia said. However, he noted that “the Cyber Safety Review Board’s report from last year complicates the picture. It concluded Microsoft’s security culture was inadequate and accused the company of avoidable mistakes in a government email breach.”
What CISOs are doing now: Enterprise security leaders weren’t waiting for Microsoft or regulators to act. “CISOs are already acting as though Wyden’s points are proven,” Gogia said. “They’re disabling RC4 manually, mandating longer passwords for service accounts, and pushing multi-factor authentication across the board.”Organizations were increasingly using procurement contracts as leverage. “Contracts are starting to include clauses demanding configuration reports and baseline protections,” Gogia noted. “In some cases, workloads are being threatened with migration unless these terms are met.”
Industry-wide implications: The implications of Wyden’s investigation could reshape how the entire software industry approaches security. “If Wyden’s concerns gain ground, the implications stretch beyond Microsoft,” Gogia said. “Treating insecure defaults as negligence would change how software is built and sold.”Wyden concluded with a stark warning: “Microsoft has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software,” and warned that “Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable.”As Gogia summarized: “The Ascension breach has become a rallying point: one overlooked setting can take down an entire industry, so defaults are no longer trusted.”Microsoft did not immediately respond to a request for comment.
What CISOs are doing now: Enterprise security leaders weren’t waiting for Microsoft or regulators to act. “CISOs are already acting as though Wyden’s points are proven,” Gogia said. “They’re disabling RC4 manually, mandating longer passwords for service accounts, and pushing multi-factor authentication across the board.”Organizations were increasingly using procurement contracts as leverage. “Contracts are starting to include clauses demanding configuration reports and baseline protections,” Gogia noted. “In some cases, workloads are being threatened with migration unless these terms are met.”
Industry-wide implications: The implications of Wyden’s investigation could reshape how the entire software industry approaches security. “If Wyden’s concerns gain ground, the implications stretch beyond Microsoft,” Gogia said. “Treating insecure defaults as negligence would change how software is built and sold.”Wyden concluded with a stark warning: “Microsoft has utterly failed to stop or even slow down the scourge of ransomware enabled by its dangerous software,” and warned that “Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable.”As Gogia summarized: “The Ascension breach has become a rallying point: one overlooked setting can take down an entire industry, so defaults are no longer trusted.”Microsoft did not immediately respond to a request for comment.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4055697/microsoft-under-fire-senator-demands-ftc-investigation-into-arsonist-selling-firefighting-services.html
