DHS gives federal agencies 24 hours to patch critical Microsoft Windows vulnerability

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a directive requiring all federal agencies to update a major vulnerability within the Microsoft Windows Server program in the next 24 hours. 

CISA Director Christopher Krebs wrote in a blog post announcing the emergency directive that while the agency had not seen any evidence of the vulnerability being exploited, the vulnerability, if not patched, could allow a remote attacker to take control of a system. 

“Due to the wide prevalence of Windows Server in civilian Executive Branch agencies, I’ve determined that immediate action is necessary, and federal departments and agencies need to take this remote code execution vulnerability in Windows Server’s Domain Name System (DNS) particularly seriously,” Krebs wrote. 

Microsoft released a patch for the “wormable” vulnerability on Tuesday, warning that the vulnerability could potentially spread dangerous malware between computers.

“While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” Mechele Gruhn, principal security PM manager at the Microsoft Security Response Center, wrote in a blog post.

Agencies have until Friday afternoon to ensure the security update is applied to all Windows Servers, and until July 24 to put in place new technical and management controls and to submit a report to CISA detailing the patch completion. 

While the directive was only a requirement for federal agencies, Krebs strongly recommended that other governmental organizations and private sector groups immediately patch the vulnerability as well. 

“They should identify whether this critical vulnerability exists on their networks and assess their plan to immediately address this significant threat,” Krebs wrote. “If you have Windows Servers running DNS, you should patch now. Don’t wait on this one.”

The move by CISA marked the third time the agency has issued an emergency directive. It had previously issued a directive in January around separate Microsoft vulnerabilities that would have allowed hackers to forge a digital signature and access a system, among other issues.