CISA Directs Federal Agencies to Patch Critical Microsoft Vulnerability within 24 Hours
The Cybersecurity and Infrastructure Security Agency (CISA) recommends all government agencies update their Microsoft Windows Servers immediately after a vulnerability was discovered that could allow a remote attacker to take control of the system. The vulnerability is severe enough that CISA issued a directive requiring all federal agencies to patch their Microsoft Windows Servers within 24 hours.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a directive requiring all federal agencies to update a major vulnerability within the Microsoft Windows Server program in the next 24 hours.
CISA Director Christopher Krebs wrote in a blog post announcing the emergency directive that while the agency had not seen any evidence of the vulnerability being exploited, the vulnerability, if not patched, could allow a remote attacker to take control of a system.
“Due to the wide prevalence of Windows Server in civilian Executive Branch agencies, I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System (DNS) particularly seriously,” Krebs wrote.
Microsoft released a patch for the “wormable” vulnerability on Tuesday, warning that the vulnerability could potentially spread dangerous malware between computers.
“While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” Mechele Gruhn, principal security PM manager at the Microsoft Security Response Center, wrote in a blog post.
Agencies have until Friday afternoon to ensure the security update is applied to all Windows Servers, and until July 24 to put in place new technical and management controls and to submit a report to CISA detailing the patch completion.
While the directive was only a requirement for federal agencies, Krebs strongly recommended that other governmental organizations and private sector groups immediately patch the vulnerability as well.
“They should identify whether this critical vulnerability exists on their networks and assess their plan to immediately address this significant threat,” Krebs wrote. “If you have Windows Servers running DNS, you should patch now. Don’t wait on this one.”
The move by CISA marked the third time the agency has issued an emergency directive. It had previously issued a directive in January around separate Microsoft vulnerabilities that would have allowed hackers to forge a digital signature and access a system, among other issues.
Article retrieved July 21, 2020, from: https://thehill.com/policy/cybersecurity/507747-dhs-gives-federal-agencies-24-hours-to-patch-critical-microsoft-windows