The Department of Homeland Security’s cybersecurity division on Thursday ordered federal civilian agencies to apply a security fix for a newly revealed Microsoft Windows vulnerability, citing the “unacceptable significant risk” posed by the flaw to agencies’ security.
The emergency order — only the third ever issued by DHS’s Cybersecurity and Infrastructure Security Agency — gave agencies roughly 24 hours to either patch Windows servers used for domain name system purposes or apply another mitigation. Organizations with affected servers that aren’t for DNS have until July 24 to patch.
The urgency of the directive is “based on the likelihood of the vulnerability being exploited, the widespread use of the affected software across the federal enterprise, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise,” CISA said in its directive. The agency said it wasn’t aware of any active exploitation of the vulnerability — yet.
“[I]t is only a matter of time for an exploit to be created for this vulnerability,” CISA Director Chris Krebs said.
Microsoft on Tuesday issued a patch for the vulnerability, which is “wormable,” meaning malware abusing the vulnerability could move from infected system to infected system on its own. Security researchers immediately sounded the alarm about the potential impact of the bug because it could allow hackers who exploit it to intercept and tamper with network traffic and steal users’ credentials.
Some of the more dangerous software vulnerabilities in recent memory have been wormable, including the Windows flaw exploited by the 2017 WannaCry malware, which infected over 200,000 machines in 150 countries, costing Britain’s National Health Service alone more than $100 million.