US Senator Ron Wyden Slams Microsoft Over Security Failures and National Security Risks
Microsoft faces renewed scrutiny after US Senator Ron Wyden accused the tech giant of shipping "dangerous, insecure software" that reportedly contributed to crippling a major hospital network in the US. Wyden's recent letter to the Federal Trade Commission (FTC) underscores concerns about ongoing cybersecurity issues tied to Microsoft's products and practices.
Allegations of Negligence and National Security Threats
In a comprehensive PDF letter delivered on September 10 to FTC Chair Andrew Ferguson, Wyden characterized Microsoft not just as a negligent vendor but as a potential threat to national security. He urges the FTC to investigate and hold Microsoft accountable for providing insecure software to critical infrastructure, including the healthcare sector.
"Without timely action, Microsoft's culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise OS market, poses a serious threat and makes additional hacks inevitable," Wyden stated.
The Ascension Hospital Ransomware Attack
The recent focus on Microsoft's security lapses stems from a ransomware attack last year targeting Ascension, a Catholic nonprofit operating over 140 hospitals nationwide. According to new insights obtained from Ascension by Wyden's office, a contractor's device was compromised after an innocuous Bing search led to a malicious link that downloaded malware.
Attackers exploited known vulnerabilities—specifically, weak default configurations in Microsoft's systems—to escalate privileges, move laterally within the network, and deploy ransomware across thousands of devices. The attack resulted in canceled surgeries, manual record-keeping, and the theft of personal and medical data for approximately 5.6 million patients.
Old Vulnerabilities, New Concerns
Wyden emphasizes that the breach was fueled by an enduring vulnerability called "Kerberoasting," which exploits weak encryption algorithms like RC4. Despite more secure options like AES being available, Microsoft continues to default to RC4, a decision security experts have warned against for years.
The senator criticizes Microsoft for knowing about this vulnerability but failing to act decisively. A promised patch to disable RC4 remains unimplemented nearly a year after it was announced, and security guidance has been poorly communicated, buried in obscure blog posts.
Broader Criticisms and Patterns of Neglect
Wyden also highlights systemic issues, including:
- Weak Password Policies: Defaults often do not enforce the complexity needed to counter Kerberoasting.
- Lack of Customer Awareness: Many users remain unaware of underlying risks until it's too late.
- Profit Over Security: Wyden accuses Microsoft of building a lucrative secondary business selling security add-on services, creating a conflict of interest reminiscent of "selling firefighting services to arsonists."
He points to a pattern of security failures, including a 2023 incident where suspected Chinese spies compromised US government email systems, blamed on inadequate security practices.
Calls for Regulatory Action
Wyden urges the FTC to investigate and compel Microsoft to:
- Implement secure defaults
- Deliver the overdue RC4 patch
- Provide clear, understandable security guidance to customers
Should the FTC act, it could mark a pivotal moment in regulatory oversight of major tech vendors whose products underpin vital services but often fall short on security.
The Road Ahead for Microsoft
Despite Microsoft's "Secure by Design" promises under its Secure Future Initiative, Wyden's letter indicates skepticism about the company's commitment to meaningful change. Whether regulatory intervention follows could determine if this is just another public shaming or the beginning of a serious accountability process for one of the most influential technology giants.
---
Disclaimer: This article summarizes alleged accusations and ongoing investigations; no final judgment has been made.