Microsoft Accused of “Gross Negligence” Over Insecure RC4 Protocol
U.S. Senator Ron Wyden has sent a letter to the Federal Trade Commission (FTC) demanding an investigation into Microsoft, accusing the company of “gross negligence” in the field of cybersecurity. The concern stems from Windows’ continued reliance on the outdated and insecure RC4 encryption algorithm, which remains enabled by default in Active Directory. According to the senator’s office, this weakness played a decisive role in the large-scale ransomware attack against healthcare provider Ascension in 2024, which resulted in the compromise of data belonging to 5.6 million patients.
Wyden emphasized that because of these “dangerous engineering decisions,” a single infected employee laptop was enough for attackers to deploy ransomware across thousands of systems via Active Directory. In the case of Ascension, the initial entry point was a contractor’s device, from which hackers conducted a Bing search through Microsoft Edge. After gaining access, they leveraged kerberoasting techniques to brute-force the passwords of privileged accounts, ultimately enabling the widespread deployment of ransomware across the network.
RC4, created in 1987 by Ron Rivest, has long been considered broken. The algorithm was first cracked in 1994 and has since been the subject of numerous successful attacks. While most communication protocols have deprecated RC4, it persists as a default mechanism within Kerberos authentication in Active Directory. Despite the availability of stronger algorithms, many organizations continue to operate under default settings. This allows attackers to request Kerberos tickets encrypted with RC4-based hashes, extract them from the network, and crack them offline using powerful GPUs. Because the scheme relies on unsalted MD4 hashes without iterative strengthening, attackers can attempt billions of guesses per second.
Cryptographer Matt Green of Johns Hopkins University described Kerberos’ reliance on RC4 as “a flaw that should have been eliminated decades ago.” He noted that even long, policy-compliant passwords offer little resistance to brute-force attacks under this model. The risk is further compounded by common misconfigurations in Active Directory that grant ordinary users access to administrator-level functions, making kerberoasting even more accessible to adversaries.
In response, Microsoft stated that RC4 accounts for less than 0.1% of traffic and that the company strongly advises against its use. However, it admitted that removing support entirely would break functionality for some customers, necessitating a gradual phase-out. According to Microsoft, beginning in the first quarter of 2026, new Active Directory domains running on Windows Server 2025 will ship with RC4 disabled by default. For existing environments, Microsoft is preparing mitigation measures aimed at reducing risk while maintaining backward compatibility.
Wyden, however, argues that the company is deliberately downplaying the severity of the issue, confining its warnings to obscure technical blog posts rather than issuing direct alerts to enterprise customers. He also criticized Microsoft’s business model, which he said leaves core software vulnerable while offering security enhancements as paid add-ons—a practice he likened to “an arsonist selling fire insurance to his victims.” Experts meanwhile recommend that organizations adopt best security practices for managing Active Directory service accounts.
Microsoft maintains that it is engaging with Senator Wyden and cooperating with government agencies, stressing that a formal roadmap for the deprecation of RC4 is already in place.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
