Cybersecurity

Feds respond to critical Windows flaw

Shutterstock image of a line of faulty code.

Microsoft's latest weekly security bulletin released Feb. 10 contained patch instructions to fix a critical vulnerability affecting versions of the Windows operating systems. An attacker could exploit the flaw to gain user access to affected systems, including administrative access, depending on how the attack is directed. Users become vulnerable by connecting over unknown networks, like a coffee-shop Wi-Fi connection.

Known as "JASBUG," the flaw requires the implementation of a complex set of patches that go beyond the download-and-restart installation.

"This is not just a configuration issue in the code, this is an actual problem in the code," White House cybersecurity advisor Michael Daniel said at a meeting of the Information Security and Privacy Advisory Board of the National Institute for Standards and Technology. "You can't just implement the patch. You can break things if you do it incorrectly."

The Office of Management and Budget and the Department of Homeland Security are collaborating on implementing the fix across federal networks.

"The more challenging feature of this is sort of rolling this out across all federal agencies, getting them to implement it, and do that in a way that doesn't break anything significant as we're doing it. We've got a good schedule laid out and OMB and DHS have been doing a good job about that," Daniel said.

The National Cybersecurity and Communications Integration Center is addressing the problem at DHS. The U.S. Computer Emergency Readiness Team released an alert about the vulnerability.

"We are working with other agencies across the executive branch and critical infrastructure entities to determine any potential risk and to implement mitigation strategies as necessary," DHS spokesman S.Y. Lee said.

"I think that we learned a lot from our experience going through Heartbleed, and we got a little bit better with Bash, and I think that in this case we were able to get our act together in time so that we were ready for the patch when it actually rolled out," Daniel said. "In some ways this is a good news story on the government side. We actually did learn something from previous vulnerabilities and adjusted our processes to get a little bit ahead of it."

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.