Senator blasts Microsoft for 'dangerous, insecure software' that helped pwn US hospitals
- Reference: 1757596511
- News link: https://www.theregister.co.uk/2025/09/11/wyden_microsoft_insecure/
- Source link:
Microsoft rewarded for security failures with another US government contract [1]READ MORE
Wyden's [2]letter [PDF], delivered to FTC chair Andrew Ferguson on September 10, paints Microsoft not just as a careless vendor, but as a danger to national security.
"I urge the FTC to investigate Microsoft and hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the US government and to critical infrastructure entities, such as those in the US healthcare sector," Wyden wrote.
"Without timely action, Microsoft's culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable."
The case stems from last year's [3]ransomware attack against Ascension , a Catholic nonprofit that runs more than 140 hospitals across the US. According to new information Wyden's office obtained from Ascension, a contractor using a company laptop ran a Bing search and clicked on a malicious result, which downloaded malware onto their device. Attackers then used well-known weaknesses in Microsoft's default configurations to escalate privileges, move laterally through the network, and deliver ransomware across thousands of machines.
[4]
The attack disrupted surgeries, forced doctors and nurses to revert to pen and paper, and led to the theft of personal and medical data belonging to roughly 5.6 million patients.
[5]
[6]
Wyden points to a decades-old vulnerability known as "Kerberoasting" as a key factor in the breach. The attack relies on the fact that Microsoft continues to use RC4 as its default encryption algorithm, a choice security researchers have warned against for years. Although more secure options like AES exist, Redmond hasn't made the switch, a decision Wyden argues "needlessly exposes its customers to ransomware and other cyber threats."
He said Microsoft has known about this for years but has failed to act decisively, noting that a promised patch to disable RC4 by default has yet to materialize nearly a year after being announced. The senator also criticized the company for burying its security guidance in an obscure Friday blog post rather than proactively warning customers.
[7]Kidney dialysis giant DaVita tells 2.4M people they were snared in ransomware data theft nightmare
[8]Pentagon ends Microsoft's use of China-based support staff for DoD cloud
[9]Surprise, surprise: Chinese spies, IP stealers, other miscreants attacking Microsoft SharePoint servers
[10]Microsoft admits it 'cannot guarantee' data sovereignty
Adding fuel to the fire, Wyden argued that Microsoft's defaults are stacked against its users. Password policies do not enforce the long, complex passwords needed to resist Kerberoasting attacks, and many customers are unaware of the risk until it is too late. In his letter, Wyden accused the software giant of putting profit over security, claiming it has built "a multibillion-dollar secondary business selling cybersecurity add-on services to those organizations that can afford it," likening Microsoft to "an arsonist selling firefighting services to their victims."
The senator framed Microsoft's behavior as part of a pattern, recalling the 2023 hack of US government email accounts by suspected Chinese spies, which a federal review board blamed on "inadequate" security culture at the company. Because Microsoft dominates the enterprise operating system market, Wyden warned, its decisions set the baseline for security across government and critical infrastructure – and its failings put everyone at risk.
[11]
Wyden's call for an FTC investigation is an attempt to force accountability. He wants regulators to compel Microsoft to ship secure defaults, deliver the long-delayed RC4 update, and provide plain-English guidance to customers about the risks they face. If the FTC takes up the case, it could mark a turning point in how Washington polices vendors whose software underpins critical services but repeatedly lands them in the headlines for all the wrong reasons.
For Microsoft, which has spent months promising a new "secure by design" era under its Secure Future Initiative, Wyden's letter is a sharp reminder that not everyone is convinced Redmond is serious about change. Whether the FTC decides to act may determine if this is just another round of public shaming or the start of a much deeper reckoning for one of the most powerful companies in tech. ®
Get our [12]Tech Resources
[1] https://www.theregister.com/2025/09/02/microsoft_rewarded_for_security_failures/
[2] https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_ftc_on_microsoft_kerberoasting_ransomwarepdf.pdf
[3] https://www.theregister.com/2024/05/09/us_faithbased_healthcare_org_ascension/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aMLyFV3CrlDqmPv6iWb09gAAAAo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMLyFV3CrlDqmPv6iWb09gAAAAo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aMLyFV3CrlDqmPv6iWb09gAAAAo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/08/22/davita_ransomware_infection/
[8] https://www.theregister.com/2025/08/29/pentagon_ends_microsofts_use_of/
[9] https://www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/
[10] https://www.theregister.com/2025/07/25/microsoft_admits_it_cannot_guarantee/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aMLyFV3CrlDqmPv6iWb09gAAAAo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
Re: "needlessly exposes its customers to ransomware and other cyber threats."
It’s incredible that it has taken until the 2020’s for some people in governments around the world to finally wake up to the fact that MS software is utterly shite. And most businesses STILL don’t seem to think anything of it
Human stupidity really has no limit
Re: "needlessly exposes its customers to ransomware and other cyber threats."
As Micros~1 set 34.000 full time engineers to work on the [1]Secure Future Initiative back in Sep 2024 Senator Wyden will surely praise them for the great results that Micros~1 will publish any moment now.
[1] https://www.theregister.com/2024/09/23/microsoft_secure_future_initiative/
Re: "needlessly exposes its customers to ransomware and other cyber threats."
"Senator Wyden will surely praise them for the great results that Micros~1 will publish any moment now."
He sounds like the sort of man who will have read TMMM so he won't be expecting any results any time soon.
"secure by design"
was a promise Microsoft made a very long time ago (the Longhorn days, IIRC), but has consistently failed to deliver.
Some of that is of course due to negative feedback from enterprise customers ("but SbD makes our life harder because {mainly spurious reasons}").
Re: "secure by design"
was a promise Microsoft made a very long time ago (the Longhorn days, IIRC), but has consistently failed to deliver.
Slogans are much cheaper than vast amounts of programming time.
security
is not the point of m$. The point is to share data. It was build from the ground up to share information. Security is low priority. Especially when they have been folded into the russian coup of America.
It's all part of the plan.
Re: security
Nah, it has been formed to take money from customers, and squeeze as much from them as possible...
Want them to sit up and take notice?
Ban M$ from any government contracts until they make their software secure. Hospitals take ACA? Ban. Business supports government contracts? Banned across the entire organization.
Re: Want them to sit up and take notice?
That's easy to say, but practically impossible to do.
Unless you accept that Government takes a decade to to redo all of its tools in Linux.
Which I would personnaly like, but I'm not concerned here.
In any case, this is a gold-plated arrow against Redmond and I hope that some good will come of it.
With a third of the money they are paying Microsoft for faulty services and tech support they could teach their employees to use Linux and cover Linux tech support.
But nope.
Tight
I think this begs for tighter integration with Copoolot. Hackers would think twice if suddenly they heard "Watcha doing here, comrade? Are you trying to hack this system?"
Basically, Microshaft needs to double down on adding more AI and push developers to adopt more secure vibes. Even telling them to add "Pls make it secure, this time for real." at the end of the prompts would substantially increase security of the products. When developers finally return to offices, they could employ chaperones doing vibe checks, to ensure right prompts are always used.
Re: Tight
What ? Adding more hallucinating bullshit generators ?
I don't think that's a very good idea.
Hmm.
I'd say its still another old fuck who doesn't understand tech. We all like Linux but if you don't have the funding and knowledge someone will get in. We don't want MS to lock down like Apple otherwise we're stuck using their shitty app store. I dislike Apple massively due to its walled garden. The TPM chip came about due to MS claiming it would make systems more secure when in fact it just benefited MS, abusing it now with the Windows 11 requirement requiring it.
You take the blame, and you take the blame
Yeah MS is not secure by default but lets be honest customers don't want it.
Plus if the customers actually cared about being secure they could have taken steps to mitigate all these issues. But they don't.
When CEOs are looking at jail time for supplying junk, or installing junk THEN it'll get taken seriously. Until then the fine is just another expense. And usually an acceptable one.
The Comes v. Microsoft Corp.
“The Comes v. Microsoft Corp. class-action lawsuit, filed in Iowa in 2000, alleged that Microsoft unlawfully monopolized the markets for Intel-compatible PC operating systems and software, resulting in higher prices for consumers. After extensive litigation, including appeals to the Iowa Supreme Court affirming that indirect purchasers could sue, the parties reached a settlement in 2007 valued at approximately $180 million.”
“The case involved massive document discovery efforts, with Microsoft producing over 25 million pages of documents. Paper documents were required to be destroyed or returned under court orders, leaving digital records as the primary archive. The litigation was notable for its scale, the affirmation of consumers’ rights under Iowa competition law, and the significant settlement that followed after a protracted trial process.”
[1]$180 Million Microsoft Iowa Antitrust Settlement Results in Cash Benefits to Consumers
[2]Index of /iowa/www.iowaconsumercase.org
[1] https://www.zellelaw.com/news-updates-13
[2] http://edge-op.org/iowa/www.iowaconsumercase.org/
um
“Wyden's call for an FTC investigation is an attempt to force accountability. He wants regulators to compel Microsoft to ship secure defaults, deliver the long-delayed RC4 update,”
RC4 shouldn’t be default. But if the default is changed, there will be a lót of admins that change it back if it’s still available, because of legacy stuff. It took us a decade to even get rid of Win7, and I still have an XP running somewhere. Firewalled, no Internet access, separate VLAN. And hopefully gone before the end of the year.
MS should definitely take a lot of the blame here. But the (large) organisation that used defaults is not without blame either.
"needlessly exposes its customers to ransomware and other cyber threats."
Best description of Microsoft I've ever heard !