Federal agencies urge groups to patch systems over new Microsoft vulnerabilities

Federal agencies urged organizations using a Microsoft email application to immediately patch their systems to stop malicious hackers from exploiting newly discovered vulnerabilities.

The new vulnerabilities, which Microsoft announced Tuesday, could potentially involve exploitation of the company’s Exchange Server application, widely used by both federal agencies and private companies. 

The new security flaws were discovered a month after Microsoft announced that at least one Chinese state-sponsored hacking group had been actively exploiting a separate set of vulnerabilities in Exchange Server to potentially compromise thousands of organizations. 

The National Security Agency (NSA) found the new set of vulnerabilities, with Microsoft releasing a patch for the security flaws on Tuesday. Both Microsoft and the NSA strongly urged organizations running Exchange Server to patch their systems immediately. 

“We have not seen the vulnerabilities used in attacks against our customers,” the Microsoft Security Response Center wrote in a blog post Tuesday. “However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.”

The NSA tweeted a link to the blog post, writing that it “urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks.”

Federal agencies were ordered Tuesday to apply the new patch and secure their systems. The Cybersecurity and Infrastructure Security Agency (CISA) updated its emergency directive issued in March after the first Exchange Server vulnerabilities were discovered to require federal agencies to patch against both sets of security flaws. 

“Though CISA is unaware of active exploitation of these vulnerabilities, once an update has been publicly released, the underlying vulnerabilities can be reverse engineered to create an exploit,” the agency wrote in the updated directive. “CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action.”

“This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information,” CISA noted. 

Federal agencies have until April 16 to update their systems to protect against the new security flaws. 

The White House made clear Tuesday that it is closely monitoring the vulnerabilities. 

Anne Neuberger, President Biden’s deputy national security adviser for cyber and emerging technologies, said in a statement that the administration was urging “all owners and operators of Microsoft Exchange Servers to apply these latest patches immediately,” and that the federal government was “leading by example” in requiring agencies to do so. 

Neuberger noted that should the new vulnerabilities be exploited by malicious hackers, the Biden administration would work with the private sector to help address security concerns. 

“Cybersecurity is a top priority for the Biden Administration and we’re committed to sharing actionable and timely information to help the American public operate safely online,” Neuberger said.

“This disclosure is an example of the responsible and transparent approach the U.S. government uses when handling vulnerabilities,” she added. “This is consistent with our expectations for how responsible governments and companies can work together to promote cybersecurity.”

The discovery of the new security flaws came as the Biden administration is working to enhance its leadership on cybersecurity vulnerabilities, with the Microsoft vulnerabilities and the recent SolarWinds hack of federal agencies by likely Russian hackers turning up the pressure on the administration to take action.

Biden will soon sign an executive order that will include at least a dozen actions meant to enhance federal cybersecurity. Biden also formally nominated individuals to serve in key cybersecurity roles in the administration on Monday, including Jen Easterly as CISA director, and former NSA Deputy Director Chris Inglis to serve as the new White House cyber czar.