Illustration: Sarah Grillo/Axios

Microsoft is releasing a security patch Tuesday to fix a major flaw in the Windows operating system. Although Microsoft says it hasn't seen evidence the issue has been exploited in the wild, it could allow an attacker to "decrypt confidential information."

Why it matters: The flaw represents a significant vulnerability and was turned over to Microsoft by the National Security Agency. In the past, the NSA has kept some Windows flaws to itself to use for its own purposes.

What's next: Microsoft confirmed details of the flaw and the release of the patch, adding that its security software can detect and block malware attempting to use this vulnerability. ​It affects versions of Windows 10 as well as the 2016 and 2019 versions of Windows Server, but not Windows 7, Windows 8 or earlier versions.

  • "We have not seen any evidence that this technique has been used in the wild," Microsoft said. "As always we encourage customers to install all security updates as soon as possible.”

The vulnerability was rated "important," Microsoft's second highest rating, because it involves user interaction to be exploited. (Critical flaws can be exploited with no user interaction.)

Krebs on Security, which reported the existence of the patch Monday night, described it as "an extraordinarily serious security vulnerability in a core cryptographic component."

  • Also, per Krebs, Microsoft has already delivered a patch for the bug to the U.S. military and other key customers and potential targets, such as the companies that manage internet infrastructure. Those companies had to agree not to disclose details of the vulnerability.

In a statement, Microsoft said it doesn't release production-ready updates ahead of its regular Update Tuesday schedule, but it does give advance versions to partners "for the purpose of validation and interoperability testing in lab environments." Those who get the advance versions are not supposed to use them for production machines.

What they're saying: Longtime security expert Dan Kaminsky, chief scientist at White Ops, said that the flaw is a big deal, despite the less-than-critical rating assigned by Microsoft.

"It does happen that some bugs are 'overhyped'. Not this one. A flaw here exposes itself on sensitive attack surfaces across the entire Windows platform, in subtle ways that are difficult to predict and — critically — would be highly reliable. Absolutely the real deal, patch this immediately."
— Dan Kaminsky, to Axios

Go deeper

1 hour ago - Health

SPACs are the new IPOs

Illustration: Aïda Amer/Axios

Churchill Capital Corp. III has agreed to acquire health-cost management services provider Multiplan at an initial enterprise value of $11 billion, as such deals continue to proliferate as alternatives to IPOs.

Why it matters: This is the largest special purpose acquisition company (SPAC) merger, and also includes the largest private investment in public equity (PIPE) associated with a SPAC. Existing Multiplan owners like Hellman & Friedman and General Atlantic will roll over more than 75% of their collective stake, and own over 60% of the public company.

Washington Redskins will change team name

Photo: Patrick McDermott/Getty Images

The Washington Redskins announced Monday that the NFL team plans to change its name.

Why it matters: It brings an end to decades of debate around the name — considered by many to be racist toward Native Americans. The change was jumpstarted by nationwide protests against systemic racism in the U.S. this summer.

3 hours ago - Health

Houston public health system CEO says coronavirus situation is "dire"

Houston's coronavirus situation is "dire, and it's getting worse, seems like, every day," Harris Health System CEO and President Dr. Esmail Porsa said Monday on MSNBC's "Morning Joe."

The big picture: Porsa said the region is seeing numbers related to the spread of the virus that are "disproportionately higher than anything we have experienced in the past." He noted that Lyndon B. Johnson Hospital's ICU is at 113% capacity, and 75% of its beds are coronavirus patients.