Blog

Windows Vulnerabilities that Require Immediate Attention

Released
Revised

The most important thing you can do for your cybersecurity is to update your software – and if you’re a Windows user, today is your day.

This afternoon, we issued Emergency Directive 20-02, which instructs most Federal civilian Executive Branch agencies to apply the security updates Microsoft released in today’s Patch Tuesday. The vulnerabilities fixed include serious flaws in how Windows trusts software and connects to remote computers, which, among others, include CVE-2020-0601, CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611.

While agencies are responsible for managing risk to their networks, CISA is responsible for safeguarding and securing the Federal enterprise. We do not issue emergency directives unless we have carefully and collaboratively assessed it to be necessary – indeed, this is only the second time CISA has ever issued an emergency directive. But left unpatched, these vulnerabilities hit at the core of digital trust, and pose an unacceptable risk to the Federal enterprise that require an immediate and emergency action. We have directed agencies to implement the patch across their infrastructure within 10 days, and given instructions for which of their many systems to prioritize.

CISA will provide assistance and resources to guide agencies with completing required actions. The investments in Continuous Diagnostics and Mitigation Program will pay dividends as it will help federal agencies with mature implementation to identify where unpatched versions reside and track patching progress. For additional support, our state and local government partners are encouraged to contact Multi-State-Information Sharing and Analysis Center (MS-ISAC) at soc@cisecurity.org.

Though this directive applies only to certain Executive Branch agencies, we strongly urge our partners in State and local government, the private sector, and the American public to apply this security update as soon as possible and also turn on automatic updates. We have published an Activity Alert with information about our directive, as well as resources to help critical infrastructure protect their networks. We’d also like to acknowledge the efforts of our partners at Microsoft in working to ensure the security of their products.

Go get patching!