Shutdown could delay government's patching of IE, Windows and .NET flaws

Federal desktops, servers are vulnerable to new threats when they are turned back on, analysts say

The ongoing government shutdown could leave desktop and server systems in many federal agencies vulnerable to new threats disclosed Tuesday by Microsoft in its latest round of security updates.

Many federal agencies are operating with skeletal IT staff. All IT systems deemed non-essential have been shut down, making the installation of Microsoft's latest patches, especially on desktop and notebook systems, very difficult for federal agencies, say security analysts.

"The October Windows critical vulnerabilities go across PC and server operating systems," said John Pescatore, director of emerging technologies at the SANS Institute.

"While most of the government security staff was deemed essential, it is likely that many of the employee PCs and laptops were turned off, so it will be hard to patch them," Pescatore noted. So, when the standoff is over and government workers return, a lot of their PCs could be missing critical patches.

Microsoft yesterday issued patches for 26 flaws, including several critical, remotely exploitable, flaws in Windows XP, Windows Server 2003, the Microsoft .Net Framework and multiple versions of the Internet Explorer browser. The patches part of the company's regular monthly security updates.

Security analysts typically recommend that organizations implement Microsoft's security patches as soon as possible to mitigate the risk from hackers.

Over the years, Microsoft and several vendors have released tools that make it much easier for organizations to quickly test and to install required patches with minimal service disruptions.

Theoretically, there should be fewer problems with server updates due to the shutdown -- most agencies have far fewer servers than client systems.

"You would think that without users they could actually patch servers faster," Pescatore said. "However, the reality of these shutdowns is that informal processes get disrupted even if the essential people are still there."

Richard Stiennon, principal at security consulting firm IT-Harvest, predicts that many government systems will have problems once they are turned on after the shutdown. "Best practice would be to isolate these machines until they can be brought up to the most recent patch level," Stiennon noted.

"I suspect that most agencies do not have best practice patch management where they deploy patches quickly anyway," he said.

Though most systems are idle during the shutdown, Stiennon suggested that "because so much attention being paid to the numerous websites displaying shutdown notices, agency IT staffs should be on heightened alert for defacement, DDoS (distributed denial of service) attacks and other shenanigans during the crisis."

An agency's ability to quickly deploy the latest round of Microsoft patches in a timely fashion depends in large part on whether the process is automated, said Karen Evans, federal CIO during the George W. Bush administration. "I would think this would start being a problem for them" if the shutdown persists.

The government shutdown, now in its ninth day, has caused most federal agencies to shut down all but a few services deemed essential. Most have furloughed all but a bare handful of "excepted" employees to keep essential operations running.

The Federal Trade Commission for instance, has exempted just six IT employees to keep its IT infrastructure running through the shutdown. The six individuals are responsible for directly supporting the agency's network and telecommunication services, operating the FTC's data center, rotating backup media for offsite storage and providing on-site database administration support.

The Social Security Administration has temporarily furloughed all but 310 of its 3,187 IT employees. The exempted employees have been put in charge of managing the agency's IT infrastructure and providing support for essential services. The U.S. Department of Housing and Urban Development is using a skeletal IT staff of 13 to keep its critical systems running and protected against security threats.

Analysts have noted that such scaled down operations could pose security challenges for agencies if the shutdown persists. The latest round of Microsoft patches could be the first of those challenges.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government ITMicrosoftsecurityMalware and Vulnerabilities

More about BushFederal Trade CommissionFTCMicrosoftSANS InstituteTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place