Microsoft is back in the firing line after US Senator Ron Wyden accused Redmond of shipping "dangerous, insecure software" that helped cybercrooks cripple one of America's largest hospital networks.

Wyden's letter [PDF], delivered to FTC chair Andrew Ferguson on September 10, paints Microsoft not just as a careless vendor, but as a danger to national security.

"I urge the FTC to investigate Microsoft and hold the company responsible for the serious harm it has caused by delivering dangerous, insecure software to the US government and to critical infrastructure entities, such as those in the US healthcare sector," Wyden wrote.

"Without timely action, Microsoft's culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable."

The case stems from last year's ransomware attack against Ascension, a Catholic nonprofit that runs more than 140 hospitals across the US. According to new information Wyden's office obtained from Ascension, a contractor using a company laptop ran a Bing search and clicked on a malicious result, which downloaded malware onto their device. Attackers then used well-known weaknesses in Microsoft's default configurations to escalate privileges, move laterally through the network, and deliver ransomware across thousands of machines.

The attack disrupted surgeries, forced doctors and nurses to revert to pen and paper, and led to the theft of personal and medical data belonging to roughly 5.6 million patients.

Wyden points to a decades-old vulnerability known as "Kerberoasting" as a key factor in the breach. The attack relies on the fact that Microsoft continues to use RC4 as its default encryption algorithm, a choice security researchers have warned against for years. Although more secure options like AES exist, Redmond hasn't made the switch, a decision Wyden argues "needlessly exposes its customers to ransomware and other cyber threats."

He said Microsoft has known about this for years but has failed to act decisively, noting that a promised patch to disable RC4 by default has yet to materialize nearly a year after being announced. The senator also criticized the company for burying its security guidance in an obscure Friday blog post rather than proactively warning customers.

• Kidney dialysis giant DaVita tells 2.4M people they were snared in ransomware data theft nightmare
• Pentagon ends Microsoft's use of China-based support staff for DoD cloud
• Surprise, surprise: Chinese spies, IP stealers, other miscreants attacking Microsoft SharePoint servers
• Microsoft admits it 'cannot guarantee' data sovereignty

Adding fuel to the fire, Wyden argued that Microsoft's defaults are stacked against its users. Password policies do not enforce the long, complex passwords needed to resist Kerberoasting attacks, and many customers are unaware of the risk until it is too late. In his letter, Wyden accused the software giant of putting profit over security, claiming it has built "a multibillion-dollar secondary business selling cybersecurity add-on services to those organizations that can afford it," likening Microsoft to "an arsonist selling firefighting services to their victims."

The senator framed Microsoft's behavior as part of a pattern, recalling the 2023 hack of US government email accounts by suspected Chinese spies, which a federal review board blamed on "inadequate" security culture at the company. Because Microsoft dominates the enterprise operating system market, Wyden warned, its decisions set the baseline for security across government and critical infrastructure – and its failings put everyone at risk.

Wyden's call for an FTC investigation is an attempt to force accountability. He wants regulators to compel Microsoft to ship secure defaults, deliver the long-delayed RC4 update, and provide plain-English guidance to customers about the risks they face. If the FTC takes up the case, it could mark a turning point in how Washington polices vendors whose software underpins critical services but repeatedly lands them in the headlines for all the wrong reasons.

For Microsoft, which has spent months promising a new "secure by design" era under its Secure Future Initiative, Wyden's letter is a sharp reminder that not everyone is convinced Redmond is serious about change. Whether the FTC decides to act may determine if this is just another round of public shaming or the start of a much deeper reckoning for one of the most powerful companies in tech. ®