Cybersecurity News Kinetic Potential

Senator Urges FTC Probe of Microsoft Over Security Failures

Thu, 09/11/2025 - 09:46 / 0 Comments

US Senator Ron Wyden, D-Ore., on Wednesday sent a letter to the Federal Trade Commission (FTC), urging it to investigate Microsoft’s cybersecurity practices and hold it accountable for gross negligence.

Microsoft’s security lapses, the senator says, have led to ransomware attacks on critical infrastructure organizations, including healthcare entities, putting patient care at risk, and threatening national security.

In his letter (PDF) to FTC Chairman Andrew Ferguson, senator Wyden argues that Windows, the widely used operating system that Microsoft has monopoly over, is “incredibly vulnerable to ransomware infections” in its default configuration.

According to the letter, Microsoft has made “dangerous software engineering decisions” that were largely hidden from corporate and government customers. These lapses could lead to an organization-wide ransomware infection if a single individual clicks on a malicious link.

This is exactly what happened in May 2024, when healthcare giant Ascension was hacked, the senator’s staff learned: a contractor clicked on a malicious link from Bing search results and infected their laptop with malware.

This allowed the hackers to move laterally into Ascension’s network, gain administrative privileges on the Active Directory (AD) server, and push ransomware to thousands of systems within the organization, causing massive disruptions. The attackers also stole the personal information of 5.6 million people.

“The FTC’s mission to protect Americans from deceptive and unfair business practices and promote fair competition obligates the agency to investigate Microsoft’s negligence in a marketplace where its dominance has profound, foundational influence on cybersecurity practices and to hold the company accountable for its shortcomings,” the senator says.

The senator’s letter also shows that access to Ascension’s AD server was obtained through Kerberoasting, an attack vector targeting the Kerberos authentication protocol to steal credentials, which is possible because Microsoft continues to support the decades-old RC4 encryption algorithm.

“Microsoft’s continued support for the ancient, insecure RC4 encryption technology needlessly exposes its customers to ransomware and other cyber threats by enabling hackers that have gained access to any computer on a corporate network to crack the passwords of privileged accounts used by administrators,” senator Wyden says.

In October 2024, after being contacted by the senator’s staff in July, Microsoft published a technical blog about Kerberoasting, noting it would deprecate RC4, but failed to clearly warn customers that they are exposed to the attack technique unless they change default settings in AD, the letter reads.

The Ascension hack and Kerberoasting, senator Wyden notes, are only examples in a long list of issues caused by Microsoft’s cybersecurity negligence. The Chinese exploitation of SharePoint zero-days disclosed in July is another example.

Senator Wyden also points out that this is not the first time Microsoft’s cybersecurity lapses have surfaced. A Cyber Safety Review Board (CSRB) review of the 2023 Microsoft Exchange Online hack revealed that the intrusion was the result of avoidable errors by Microsoft.

Additionally, the letter points out that, instead of integrating security into its software, Microsoft has built a multi-billion-dollar business by selling cybersecurity add-on services.

“At this point, Microsoft has become like an arsonist selling firefighting services to their victims. And yet government agencies, companies, and nonprofits like Ascension have no choice but to continue to use the company’s software, even after they are hacked, because of Microsoft’s near-monopoly over enterprise IT,” the senator says.

Senator Wyden urges the FTC to probe Microsoft and hold it accountable for the serious harm it has caused through the insecure software delivered to US government and critical infrastructure entities, including healthcare organizations.

“Without timely action, Microsoft’s culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable,” the senator notes.

SecurityWeek has emailed Microsoft for a statement on the senator’s letter and will update this article if the company responds.

“The letter underscores a long-standing tension in enterprise cybersecurity, the balance between legacy system support and secure-by-default design. What happened at Ascension isn’t just about one bad click or an old cipher. It’s about systemic risk inherited from default configurations and the architectural complexity of widely adopted software ecosystems like Microsoft’s. When a single vendor becomes foundational to national infrastructure, their security design decisions, or lack thereof, can have cascading consequences,” SOCRadar CISO Ensar Seker said.

“Ultimately, this isn’t about blaming one company. It’s about recognizing that national security is now tightly coupled with the configuration defaults of dominant IT platforms. Enterprises and public sector agencies alike need to demand more secure-by-design defaults and be ready to adapt when they’re offered,” Seker added.

This article was originally published by The Hacker News. Please check their website for the original content.

Add new comment

About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
6 + 2 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Share The Story


Stay informed - subscribe to our newsletter.
The subscriber's email address.

Recent Posts