Damaged guarantees and regulatory stress
When Wyden’s workers briefed senior Microsoft officers concerning the Kerberoasting risk in July 2024, the letter added, they “particularly requested that Microsoft publish and publicize clear steering in plain English in order that senior executives would perceive this severe, avoidable cyber danger.”
Microsoft’s response fell brief, publishing steering as “a extremely technical weblog publish on an obscure space of the corporate’s web site on a Friday afternoon.” The corporate additionally promised to launch a software program replace disabling RC4 encryption, however eleven months later, “Microsoft has but to launch that promised safety replace,” Wyden famous.
The regulatory implications remained unsure. “A full-blown FTC case towards Microsoft on the premise of weak defaults nonetheless feels unlikely,” Gogia stated. Nevertheless, he famous that “the Cyber Security Evaluate Board’s report from final 12 months complicates the image. It concluded Microsoft’s safety tradition was insufficient and accused the corporate of avoidable errors in a authorities e mail breach.”
