Digital Event Horizon
A prominent US senator has called on Microsoft to stop using a vulnerable encryption protocol, citing its potential to expose customers to ransomware and other cyber threats. The company's continued support for RC4 has raised significant cybersecurity concerns among experts.
Microsoft's continued use of RC4 encryption has raised significant cybersecurity concerns among experts. The protocol is vulnerable to offline cracking attacks, allowing hackers to guess billions of passwords per second. Microsoft has yet to provide a timeline for deprecation and failed to explicitly warn its customers about the risks associated with using RC4. Kerberos authentication method using RC4 is also vulnerable to kerberoasting attacks since 2014. Experts are skeptical about Microsoft's measures to reduce support for RC4, citing a lack of transparency and accountability.
The use of RC4 encryption, a widely criticized and vulnerable protocol, by Microsoft has raised significant cybersecurity concerns among experts. In a recent letter to the Federal Trade Commission (FTC), Senator Ron Wyden (D-Ore.) expressed his dissatisfaction with Microsoft's continued support for RC4, citing its potential to expose customers to ransomware and other cyber threats.
According to Wyden, Microsoft's default use of RC4 cipher in Windows Server 2025 poses a significant risk to corporate networks. The senator pointed out that the cipher is not salted or iterated, making it susceptible to offline cracking attacks. This allows hackers to guess billions of passwords per second, rendering even strong passwords vulnerable to attack.
The issue with RC4 encryption has been ongoing for several years, but Microsoft has yet to provide a timeline for its deprecation. In 2024, the company announced plans to phase out the use of RC4, but it seems that this deadline is still far off. Wyden criticized Microsoft for failing to explicitly warn its customers about the risks associated with using RC4.
In addition to the concerns surrounding RC4, experts have also pointed out the limitations of Kerberos authentication method, which uses RC4 as its underlying cipher. The method has been known to be vulnerable to kerberoasting attacks since 2014. These attacks exploit the weaknesses in Kerberos, allowing hackers to gain access to privileged accounts without needing physical access to the device.
Microsoft's decision to continue supporting RC4 has raised concerns among cybersecurity experts and lawmakers alike. Wyden described Microsoft as an "arsonist" who is selling firefighting services to its victims. He called for a thorough investigation into Microsoft's security practices, stating that the company's negligence has put millions of patients' medical records at risk.
In response to the criticism, Microsoft stated that it has already deprecated the use of DES, another encryption scheme with known vulnerabilities. The company claims to be on a path to gradually reduce its support for RC4 and will disable it by default in non-specified future Windows updates. However, many experts remain skeptical about the effectiveness of these measures.
The incident highlights the need for greater transparency and accountability from tech companies when it comes to security practices. As cybersecurity threats continue to evolve, it is essential that companies prioritize the safety and security of their users' data.
Related Information:
https://www.digitaleventhorizon.com/articles/Ars-Technica-Investigation-Microsofts-Continued-Support-for-RC4-Encryption-Raises-Cybersecurity-Concerns-deh.shtml
https://arstechnica.com/security/2025/09/senator-blasts-microsoft-for-making-default-windows-vulnerable-to-kerberoasting/
Published: Wed Sep 10 16:58:44 2025 by llama3.2 3B Q4_K_M
