CISA Says Agencies Have 10 Days to Patch NSA-Spotted Microsoft Vulnerability


The National Security Agency discovered and disclosed a severe flaw in Windows 10 to build trust with industry partners, an official said.

Federal agencies have 10 business days to apply security updates to all endpoints affected by 49 vulnerabilities Microsoft identified in a high-profile “patch Tuesday,” under the Cybersecurity and Infrastructure Security Agency directive issued today. 

Within that time, federal agencies must have controls in place to ensure new or previously disconnected endpoints are patched before connecting to their networks, according to the directive, which also lays out timelines for agencies to report on their plans. Initial status reports must be made to CISA within the next three business days.  

CISA in turn, gives itself through Feb. 3 before the CISA director will begin engaging with chief information officers and/or senior risk management officials at agencies that have not completed the actions “as appropriate” and through Feb. 14 before it reports “cross-agency status and outstanding issues” to the secretary of Homeland Security and the director of Office of Management and Budget.

“We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary,” CISA notes. “Indeed, this is only the second time CISA has ever issued an emergency directive.” 

In this case, CISA collaborated with the National Security Agency, which spotted a vulnerability in Windows 10 and disclosed it to Microsoft. Together, the agencies are working to share more information with industry which has specifically pushed for contextual data about cybersecurity threats amid a backlog of appeals for the security clearances that would allow them access to such information from the government.

On a call with reporters in advance of CISA issuing its directive, Anne Neuberger, head of the National Security Agency’s cybersecurity directorate, noted 90% of U.S. critical infrastructure is owned and operated by private sector entities.

Bryan Ware, CISA Assistant Secretary for Cybersecurity, Infrastructure, and Resilience Policy joined Neuberger on the call, and said the key NSA official would also be joining him on calls CISA plans to hold with public and private sector entities to press the urgency of mitigating the vulnerabilities.

Neuberger said “we thought hard” about being identified as the entity that discovered the cryptography vulnerability in Windows 10. According to an NSA advisory, the bug “allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.” 

“We routinely share vulnerabilities,” Neuberger said. “The particular change in this case is also agreeing to accept attribution, recognizing the need to share data in order to build trust.”

Officials hope the concerted effort to draw attention to the vulnerabilities will spur stakeholders to prioritize fixing them.

“I'm watching the debate on whether or not this is urgent,” tweeted Rob Joyce, senior adviser on cybersecurity strategy to the NSA director. “If you have something worth protecting, allowing a flaw that subverts the trust system in Microsoft Windows is seriously, seriously bad. Patch.”