Microsoft is set to retire an outdated and insecure encryption cipher, RC4, which Windows has utilized by default for 26 years. This decision comes in the wake of numerous cyberattacks exploiting RC4 and recent sharp criticism from U.S. Senator Ron Wyden.
In 2000, Microsoft introduced Active Directory and made RC4 the sole method of securing this Windows component. Administrators use Active Directory to configure and manage user accounts within large organizations. Originally developed in 1987 by RSA Security's Ron Rivest, RC4 was intended to be a secure cipher. However, after its algorithm was leaked in 1994, a researcher quickly uncovered a vulnerability that undermined the security initially assumed to be provided by RC4. Despite this, RC4 continued to be used in encryption protocols like SSL and TLS until recent years.
Out with the Old
Microsoft has been one of the last major players to support RC4. Eventually, the company updated Active Directory to incorporate the more secure AES encryption standard. However, Windows servers would still, by default, accept RC4-based authentication requests. This fallback made RC4 an appealing target for hackers seeking to breach enterprise networks. In one notable incident, RC4 played a pivotal role in a breach of the health giant Ascension, leading to life-threatening interruptions at 140 hospitals and exposing the medical records of 5.6 million patients. In September, U.S. Senator Ron Wyden urged the Federal Trade Commission to investigate Microsoft for what he termed 'gross cybersecurity negligence' due to the continued default support for RC4.
Last week, Microsoft announced its decision to phase out RC4, after acknowledging its vulnerability to attack methods such as Kerberoasting. Kerberoasting, recognized since 2014, was identified as the method attackers used to initially infiltrate Ascension's network.