Updated Jan 14, 2020

Microsoft patches big Windows flaw discovered by NSA

Illustration: Sarah Grillo/Axios

Microsoft is releasing a security patch Tuesday to fix a major flaw in the Windows operating system. Although Microsoft says it hasn't seen evidence the issue has been exploited in the wild, it could allow an attacker to "decrypt confidential information."

Why it matters: The flaw represents a significant vulnerability and was turned over to Microsoft by the National Security Agency. In the past, the NSA has kept some Windows flaws to itself to use for its own purposes.

What's next: Microsoft confirmed details of the flaw and the release of the patch, adding that its security software can detect and block malware attempting to use this vulnerability. ​It affects versions of Windows 10 as well as the 2016 and 2019 versions of Windows Server, but not Windows 7, Windows 8 or earlier versions.

  • "We have not seen any evidence that this technique has been used in the wild," Microsoft said. "As always we encourage customers to install all security updates as soon as possible.”

The vulnerability was rated "important," Microsoft's second highest rating, because it involves user interaction to be exploited. (Critical flaws can be exploited with no user interaction.)

Krebs on Security, which reported the existence of the patch Monday night, described it as "an extraordinarily serious security vulnerability in a core cryptographic component."

  • Also, per Krebs, Microsoft has already delivered a patch for the bug to the U.S. military and other key customers and potential targets, such as the companies that manage internet infrastructure. Those companies had to agree not to disclose details of the vulnerability.

In a statement, Microsoft said it doesn't release production-ready updates ahead of its regular Update Tuesday schedule, but it does give advance versions to partners "for the purpose of validation and interoperability testing in lab environments." Those who get the advance versions are not supposed to use them for production machines.

What they're saying: Longtime security expert Dan Kaminsky, chief scientist at White Ops, said that the flaw is a big deal, despite the less-than-critical rating assigned by Microsoft.

"It does happen that some bugs are 'overhyped'. Not this one. A flaw here exposes itself on sensitive attack surfaces across the entire Windows platform, in subtle ways that are difficult to predict and — critically — would be highly reliable. Absolutely the real deal, patch this immediately."
— Dan Kaminsky, to Axios

Go deeper

Microsoft again top U.S. company as market cap hits $1.435T

Data: FactSet; Chart: Axios Visuals

Microsoft again became the most valuable U.S. company on Monday as its stock rose to another record high. Microsoft regained the designation after more than three months in second place, trailing Apple.

Details: The company's stock rose 2.6% to boost its market capitalization to $1.435 trillion. The last time Microsoft was the most valuable U.S. company at the market's close was Oct. 30. Prior to that, Microsoft was the most valuable for 127-straight sessions, from April 18 through Oct. 17, according to MarketWatch. Year to date, Microsoft's stock has jumped by 19.7%.

Go deeper: The 5 biggest U.S. stocks account for almost 18% of the S&P 500's market value

Google cashes in on law enforcement data requests

Illustration: Sarah Grillo/Axios

Google began capitalizing on law enforcement's request for user data this month, the New York Times reports.

The big picture: Big Tech giants like Amazon, Facebook, Twitter, TikTok, and Microsoft explicitly announce they might seek reimbursement for giving personal data to federal agencies and law enforcement, which they're legally entitled to do.

Go deeperArrowJan 25, 2020

Podcast: Microsoft's massive climate pledge

It’s big. It’s bold. It’s maybe impossible. And Microsoft is hedging a bit when it comes to the politics of its vow to become "carbon negative" by 2030. Dan digs in with Axios' Amy Harder.

Go deeper: Microsoft's split screen on climate policy

Keep ReadingArrowJan 17, 2020