"Microsoft is killing off an obsolete and vulnerable encryption cipher that Windows has supported by default for 26 years. This follows more than a decade of devastating hacks that exploited it and recent blistering criticism from a prominent US senator. When the software maker rolled out Active Directory in 2000, it made RC4 a sole means of securing the Windows component, which administrators use to configure and provision fellow administrator and user accounts inside large organizations."
"Eventually, Microsoft upgraded Active Directory to support the much more secure AES encryption standard. But by default, Windows servers have continued to respond to RC4-based authentication requests and return an RC4-based response. The RC4 fallback has been a favorite weakness hackers have exploited to compromise enterprise networks. Use of RC4 played a key role in last year's breach of health giant Ascension. The breach caused life-threatening disruptions at 140 hospitals and put the medical records of 5.6 million patients into the hands of the attackers."
Microsoft will remove default support for the RC4 encryption cipher that Windows enabled for 26 years. RC4 was adopted in Active Directory in 2000 as the sole mechanism for certain Windows authentication and has been vulnerable since a 1994 leak and demonstrated cryptographic attacks. Microsoft later added AES support, but Windows servers continued to accept RC4-based authentication fallbacks. Attackers have repeatedly exploited RC4 fallbacks to breach enterprise networks, including the Ascension incident that disrupted 140 hospitals and exposed 5.6 million patient records. Senator Ron Wyden called for an investigation, and Microsoft plans Kerberos KDC default updates by mid-2026.
Read at WIRED
Unable to calculate read time
Collection
[
|
...
]