DHS orders agencies to fix Microsoft vulnerability

The Department of Homeland Security’s (DHS) cybersecurity agency ordered all federal agencies to patch critical Microsoft vulnerabilities made public by the National Security Agency (NSA) on Tuesday.

The vulnerabilities, which Microsoft announced it had released a security update for on Tuesday, included those that could expose a system to a significant breach or to surveillance, such as a Microsoft code flaw that could enable a hacker to forge a digital signature and hack a system.

DHS’s Cybersecurity and Infrastructure Security Agency (CISA) subsequently released an emergency directive on Tuesday afternoon requiring all agencies to implement Microsoft’s patch by Jan. 29, with CISA “strongly recommending” that all agencies begin patching “immediately.”

CISA noted in the directive that while it is “unaware of active exploitation of these vulnerabilities, once a patch has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit.”

The directive also requires federal agencies to submit an initial status report to CISA by the end of this week on the progress of patching, and a completion report within ten days.