US govt agencies urged to apply patches to Microsoft servers

US urges agencies to apply patches to Microsoft servers.
Photo credit: Reuters

The top cybersecurity official in the White House on Tuesday (local time) directed all US government agencies to urgently apply new patches for Microsoft's Exchange email servers to head off exploitation by hackers.

The rare directive applies to software fixes for four flaws discovered by the US National Security Agency and reported to Microsoft.

"We recognise when vulnerabilities may pose such a systemic risk that they require expedited disclosure," Deputy National Security Advisor for Cyber & Emerging Technologies Anne Neuberger said in a statement.

Microsoft said it had not seen the problems being exploited so far, but hackers will study the new patches to see what they are fixing, then deploy attacks against unpatched machines.

The new flaws come on top of those used in a flood of attacks earlier this year that compromised more than 20,000 US on-premises Exchange servers handling web versions of Outlook mail.

Though the vast majority of those vulnerable to the previous round of attacks have now patched their systems, Justice Department officials said Tuesday (local time) they had won court permission to gain access to privately owned servers and remove the web shells left by some of the hackers for future remote access.

That sort of active engagement by US officials is expected to accelerate with this week's nominations of NSA veterans to other national cyber security posts, including a head of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security.