The Department of Homeland Security’s Infrastructure and Cybersecurity Security Agency (CISA) issued a directive Thursday that requires all federal agencies to update a major vulnerability within the Microsoft Windows Server program within the next 24 hours.
CISA director Christopher Krebs wrote in a blog post announcing the emergency directive that while the agency had not seen any evidence of the vulnerability being exploited, the vulnerability, if not repaired, could allow a remote attacker to take control of a system.
“Due to the widespread prevalence of Windows Server in civilian executive branch agencies, I have determined that immediate action is necessary, and federal remote departments and agencies should take this remote code execution vulnerability in the Domain Name System (DNS) ) Windows Server particularly seriously, “Krebs wrote.
Microsoft released a patch for the “wormable” vulnerability on Tuesday, warning that the vulnerability could potentially spread dangerous malware between computers.
“While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible,” wrote Mechele Gruhn, senior manager of security PM in the Response Center for Microsoft security, in a blog post.
Agencies have until Friday afternoon to ensure that the security update is applied to all Windows servers, and until July 24 to establish new technical and management controls and submit a report to CISA detailing the completion of the patch.
While the directive was only a requirement for federal agencies, Krebs strongly recommended that other government organizations and private sector groups also immediately repair the vulnerability.
“They must identify whether this critical vulnerability exists in their networks and evaluate their plan to immediately address this significant threat,” Krebs wrote. “If you have Windows servers running DNS, you should patch now. Don’t wait on this one. “
The CISA move marked the third time the agency issued an emergency directive. Had previously issued a directive in January around separate vulnerabilities from Microsoft that would have allowed hackers to forge a digital signature and access a system, among other problems.
.
