(cisa.gov)
Negligence by Design: How Microsoft Keeps Leaving the Back Door Open
Enterprises need to demand secure-by-default systems instead of settling for bolt-on patches
By Julio Rivera, September 28, 2025 3:00 am
Microsoft’s latest public shaming comes courtesy of an unlikely source, in Democratic Senator Ron Wyden, one of the few Dems who actually is paying attention to the current cyber mess. Wyden is demanding that the FTC launch an investigation into what he bluntly calls “gross cybersecurity negligence.” That phrase isn’t hyperbole. It’s an indictment of a company whose software decisions keep leaving the barn door open while American hospitals, schools, and government agencies get ransacked by cybercriminals.
The spark for Wyden’s fury is the breach at Ascension Health, where nearly 6 million patient records were compromised thanks to Microsoft’s insecure defaults. A contractor clicked a poisoned Bing link, and suddenly the attackers had a path into the heart of the network. Microsoft’s outdated RC4 encryption, inexplicably left enabled by default, allowed hackers to escalate privileges with Kerberoasting, take over Active Directory, and wreak havoc.
This wasn’t a fluke. It was design negligence. RC4 has been known to be weak for years. Yet Microsoft decided to keep it around in the name of “compatibility,” effectively prioritizing convenience over national security. The company has promised to finally disable RC4—by 2026. Translation: three more years of systemic exposure while attackers laugh all the way to the command line.
Wyden’s analogy is brutal but on point: Microsoft is “an arsonist selling firefighting services to their victims.” And it’s hard to argue. The same company whose decisions lit the fire is the one selling cloud and security services to desperate customers who have no real alternative.
This is not the first time Microsoft has been caught asleep at the wheel. The 2023 Storm-0558 breach, tied to Chinese state actors, was traced back to Microsoft errors in Exchange Online. The Cyber Safety Review Board ripped the company for having a “security culture” better described as an afterthought. Then came 2024, when a flaw in SharePoint let intruders persist inside networks for months. Each time, Microsoft pledges reforms, issues a stern blog post, and cashes another multi-billion-dollar government contract.
The U.S. government, astonishingly, continues to shovel taxpayer money into contracts with the same vendor whose oversights weaken national security. That would be like hiring a contractor to rebuild your house after he burned it down with faulty wiring—then paying him double because he swears he’ll do better next time.
Meanwhile, the larger cyber landscape is being lit up by fresh disasters. The Shai-Hulud worm, a particularly nasty supply chain attack, compromised npm packages—including ones tied to CrowdStrike—and spread credential-stealing code like wildfire across development environments. CrowdStrike itself showed how fragile “protection” can be when, in 2024, a buggy Falcon sensor update bricked more than 8 million Windows machines worldwide. Airports, hospitals, and Fortune 500 companies all found themselves kneecapped by the very tool that was supposed to safeguard them.
Add in the recent emergence of Toneshell, a remote access Trojan now circulating in the wild, and the picture gets uglier. Toneshell is designed for persistence and stealth, burrowing into systems and maintaining a foothold for attackers who want long-term access. It joins a rogues’ gallery of digital plagues like the SnakeDisk USB worm, which spreads via removable drives, hides files, and tricks users into installing backdoors. These are not hypotheticals; they’re active threats chewing through unprepared networks every single day.
The common thread here is fragility. Supply chains collapse when one dependency is poisoned. Endpoint defenses fail catastrophically when a single update goes sideways. Trojans and worms slip through when security is treated as a software add-on instead of a foundational design principle.
That brings us back to Microsoft, because when one company controls the operating system layer of most enterprise IT, its negligence doesn’t just harm its own customers—it creates systemic risk for the entire country. Every insecure default, every decision to prop up obsolete protocols, every patch that breaks more than it fixes ripples outward, creating opportunities for adversaries. And adversaries don’t need to be particularly creative when the doors are already wide open.
So where do we go from here? Wyden is right to call for an FTC probe. The agency has the authority to treat insecure defaults and deceptive claims as unfair business practices. If Microsoft can’t or won’t fix its products, the government should force accountability the same way it would for an auto manufacturer shipping cars with defective brakes.
But regulation is only part of the solution. Enterprises need to demand secure-by-default systems instead of settling for bolt-on patches. They must insist on third-party audits and independent penetration testing instead of trusting glossy marketing decks. And they must recognize that endpoint protection cannot be outsourced to a single sensor or service. Real resilience requires layered defenses—EDR, zero trust segmentation, rigorous monitoring—that assume attackers will eventually get in and focus on containing the blast radius.
The supply chain chaos around Shai-Hulud, the global outage tied to CrowdStrike, and the persistence of cyber threats in general all point to the same conclusion: companies that treat security as optional or reactive are volunteering to become the next headline. In today’s threat environment, you’re either hardened or you’re hacked. There is no middle ground.
The stakes are enormous. A country whose hospitals are paralyzed, whose schools are ransomed, and whose infrastructure is crippled by worms and Trojans cannot function. And yet we keep betting our digital lives on a vendor that has failed time and again to prioritize security over legacy compatibility and market dominance.
Wyden’s words may sting, but they capture the reality: Microsoft is both the arsonist and the fire brigade. The flames keep spreading, and the company keeps selling hoses. The FTC investigation is overdue, but real change will require more than stern letters and fines. It will require a cultural reset in how we design, purchase, and enforce cybersecurity.
Because the next big breach is not lurking in the shadows—it’s already in motion, flowing through weak encryption, poisoned packages, and Trojan backdoors. The question isn’t whether the fire spreads, but whether we finally stop letting the arsonist run the firehouse.
- Keep Your Data Safe From Online Crooks This Holiday Shopping Season - December 4, 2025
- The AWS Outage Just a Glimpse of Potential Cyber Chaos - October 30, 2025
- Negligence by Design: How Microsoft Keeps Leaving the Back Door Open - September 28, 2025
RELATED ARTICLES
-
-
May 19, 2021 -
January 30, 2025
If Wyden would get rid of his own TDS (Trump Derangement Syndrome) and join with Fetterman to bring sanity back into the Democrat party, he might get more help in his crusade on “gross cybersecurity negligence”. Why is Wyden criticizing Trump’s appointee FTC chair Ferguson now? Did Wyden make the same demands of FTC chair Khan under Biden? Wyden is proving that he is just another partisan leftist loser.
FTC involvement is tantamount to a fox guarding the chicken coop. Access to Microsoft’s inner workings is one corrupt/ compromised employee away. In the real world it’s Alice’s Restaurant “.
Microsoft is notoriously the worst for “paid code leaks” by employees.
The IT folks at our company uncovered attempted intrusions into our confidential data to discover there are/were compromised employee(s) at Proton Mail.
The data universe/interconnect/Internet is becoming the scourge of legitimate business and humanity: Try unringing that bell!
Surprised that Eyeinthesky didn’t try to blame President Trump for Microsoft’s software backdoors. Eyeinthesky is completely insane suffering from terminal TDS. The Secret Service and law enforcement need to be made aware of Eyeinthesky’s posts which sound like a threat to President Trump.
This article is accurate. However, it is even worse than described. The patches Microsoft provides often fail to install. Sometimes the patches cause servers to stop running completely, requiring entire server to be restored from backup and repaired. The patches are poorly tested before being released. Here’s the worst part, the patches are getting more and more unreliable. Good luck getting in touch with anyone at Microsoft for help. They won’t get back to you for days. There seems to a direct relationship between how unreliable the patches are, and Microsoft’s push to have everyone move to their cloud computing platform. I wouldn’t trust the security of Microsoft’s cloud platform either.
Surprise surprise…
Dominion relies on Microsoft security on its platform and its described in detail on a PDF that’s on the CA Secretary of State website.
President Trump is calling Microsoft out for hiring Deep State Democrat Lisa Monaco:
“Corrupt and Totally Trump Deranged Lisa Monaco (A purported pawn of Legal Lightweight Andrew Weissmann), was a senior National Security aide under Barack Hussein Obama,” Trump wrote. “Monaco has been shockingly hired as the President of Global Affairs for Microsoft, in a very senior role with access to Highly Sensitive Information. Monaco’s having that kind of access is unacceptable, and cannot be allowed to stand.”
Fyi. Monaco was in Obama’s DOJ: From 2011 to 2013, she was Assistant Attorney General for the National Security Division, overseeing counter terrorism and cyber issues….
Do we want someone like this in charge of Microsoft back doors to the world? No way….the fixes will never be made.
You will also notice that Microsoft fails to employ end-to-end encryption for SharePoint and OneDrive. End-to-end encryption means the file is encrypted on your computer before it is even sent to Microsoft for storage, and the encryption keys are held by you only, not Microsoft. As it is now, Microsoft can read all of your files. They will tell you the files are encrypted on their servers, but Microsoft has the encryption keys. What good does that do? That’s the fox guarding the henhouse.
And it’s worse than that. Once hackers hack Microsoft’s servers, which they have done, hackers can see your files, too.
Microsoft is not concerned about your privacy and security. That’s not surprising given Microsoft is a far left company, and gave a big donation to Black Lives Matter. in 2021, Microsoft employees contributed significantly to Democratic candidates and organizations, with the Microsoft Political Action Committee (MSPAC) supporting Democratic initiatives. More recently, data from 2024 shows that Microsoft employees are donating millions to Vice President Kamala Harris’s campaign, reflecting a broader trend of tech workers supporting progressive candidates. The company donated to the Alliance of Her, an ALDE party project focused on women’s empowerment, and sponsored an ALDE conference on renewable energy in Ireland. Additionally, Microsoft has contributed to the European Liberal Forum (ELF), the think tank of the Alliance of Liberals and Democrats of Europe (ALDE).
Is Microsoft “hacking” their own systems to sell fixes and generally disrupt life for their customers? Is this like the proverbial glass company that throws bricks through windows to increase business? Keep in mind that Bill is waging war on humanity as we speak. What would a genocidal maniac do?