Microsoft Retires Decades-Old Security Threat
▼ Summary
– Microsoft is permanently disabling the outdated and vulnerable RC4 encryption cipher, which Windows has supported by default for 26 years.
– RC4 was originally the sole encryption for Active Directory and remained a default fallback, despite being significantly weakened by a known attack since 1994.
– Hackers have frequently exploited the RC4 fallback, including in a major 2023 breach of health giant Ascension that disrupted hospitals and exposed patient records.
– U.S. Senator Ron Wyden criticized Microsoft for “gross cybersecurity negligence” due to its continued default support for the vulnerable RC4 cipher.
– Microsoft is deprecating RC4 specifically due to its susceptibility to Kerberoasting attacks, which were the root cause of the initial Ascension network intrusion.
Microsoft is finally removing a decades-old and fundamentally flawed encryption method from its Windows operating systems, ending a significant security vulnerability that has been exploited in numerous high-profile cyberattacks. This move comes after years of criticism from security experts and, more recently, a prominent U.S. senator who accused the company of negligence. The deprecated cipher, known as RC4, has been a default component for securing Active Directory since the year 2000, despite being cryptographically broken for most of that time.
The RC4 cipher was originally developed in 1987 and became a cornerstone of early internet security protocols. However, its weaknesses were exposed shortly after its design was publicly leaked in 1994. Researchers quickly demonstrated attacks that could break the encryption, yet it remained widely supported for compatibility reasons. Microsoft integrated RC4 as the sole encryption method for its then-new Active Directory service, a critical tool for managing user accounts and permissions in large organizations. Even as the company later upgraded to support the more robust AES standard, Windows servers continued to accept and respond to authentication requests using the vulnerable RC4 cipher by default.
This persistent backward compatibility created a major security liability. Attackers have long exploited this RC4 fallback mechanism in a technique known as Kerberoasting, which has been a documented threat since 2014. The technique allows hackers to intercept and crack encrypted authentication tickets, granting them unauthorized access to corporate networks. The real-world consequences have been severe. For instance, the major 2023 breach of healthcare provider Ascension, which disrupted operations at 140 hospitals and compromised millions of patient records, was initiated using a Kerberoasting attack that leveraged the RC4 weakness.
The continued default support for such a known vulnerability drew sharp rebuke. In September, U.S. Senator Ron Wyden formally urged the Federal Trade Commission to investigate Microsoft, labeling the company’s inaction as “gross cybersecurity negligence.” Last week, Microsoft announced it is officially deprecating RC4 support in Windows, directly citing its role in enabling Kerberoasting attacks. This long-overdue change will help close a dangerous door that has been left open for attackers for over a decade, forcing a necessary shift toward more secure modern encryption standards across enterprise networks.
(Source: Ars Technica)
