DHS orders all federal agencies to patch Microsoft vulnerabilities

The Department of Homeland Security’s (DHS) cybersecurity agency ordered all federal agencies to patch critical Microsoft vulnerabilities made public by the National Security Agency (NSA) on Tuesday.

The vulnerabilities, which Microsoft announced it had released a security update for on Tuesday, included those that could expose a system to a significant breach or to surveillance, such as a Microsoft code flaw that could enable a hacker to forge a digital signature and hack a system. 

DHS’s Cybersecurity and Infrastructure Security Agency (CISA) subsequently released an emergency directive on Tuesday afternoon requiring all agencies to implement Microsoft’s patch by Jan. 29, with CISA “strongly recommending” that all agencies begin patching “immediately.”

CISA noted in the directive that while it is “unaware of active exploitation of these vulnerabilities, once a patch has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit.”

The directive also requires federal agencies to submit an initial status report to CISA by the end of this week on the progress of patching, and a completion report within 10 days. 

“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action,” the agency wrote. “This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.”

CISA, as part of the directive, wrote that it would submit a report to the DHS secretary and to the Office of Management and Budget by Feb. 14 on the status of the Microsoft security update being implemented by all other federal agencies. 

In announcing the vulnerabilities earlier on Tuesday, the NSA emphasized the need for all companies to update their systems. 

“The patch is the only comprehensive means to mitigate the risk,” the NSA wrote in a statement. “While means exist to detect or prevent some forms of exploitation, none of them are complete or fully reliable.”