Get the latest market trends in your inbox

Stay on top of the latest market trends and economic insights with the Axios Markets newsletter. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Denver news in your inbox

Catch up on the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Des Moines news in your inbox

Catch up on the most important stories affecting your hometown with Axios Des Moines

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Minneapolis-St. Paul news in your inbox

Catch up on the most important stories affecting your hometown with Axios Minneapolis-St. Paul

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tampa-St. Petersburg news in your inbox

Catch up on the most important stories affecting your hometown with Axios Tampa-St. Petersburg

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Illustration: Sarah Grillo/Axios

Microsoft is releasing a security patch Tuesday to fix a major flaw in the Windows operating system. Although Microsoft says it hasn't seen evidence the issue has been exploited in the wild, it could allow an attacker to "decrypt confidential information."

Why it matters: The flaw represents a significant vulnerability and was turned over to Microsoft by the National Security Agency. In the past, the NSA has kept some Windows flaws to itself to use for its own purposes.

What's next: Microsoft confirmed details of the flaw and the release of the patch, adding that its security software can detect and block malware attempting to use this vulnerability. ​It affects versions of Windows 10 as well as the 2016 and 2019 versions of Windows Server, but not Windows 7, Windows 8 or earlier versions.

  • "We have not seen any evidence that this technique has been used in the wild," Microsoft said. "As always we encourage customers to install all security updates as soon as possible.”

The vulnerability was rated "important," Microsoft's second highest rating, because it involves user interaction to be exploited. (Critical flaws can be exploited with no user interaction.)

Krebs on Security, which reported the existence of the patch Monday night, described it as "an extraordinarily serious security vulnerability in a core cryptographic component."

  • Also, per Krebs, Microsoft has already delivered a patch for the bug to the U.S. military and other key customers and potential targets, such as the companies that manage internet infrastructure. Those companies had to agree not to disclose details of the vulnerability.

In a statement, Microsoft said it doesn't release production-ready updates ahead of its regular Update Tuesday schedule, but it does give advance versions to partners "for the purpose of validation and interoperability testing in lab environments." Those who get the advance versions are not supposed to use them for production machines.

What they're saying: Longtime security expert Dan Kaminsky, chief scientist at White Ops, said that the flaw is a big deal, despite the less-than-critical rating assigned by Microsoft.

"It does happen that some bugs are 'overhyped'. Not this one. A flaw here exposes itself on sensitive attack surfaces across the entire Windows platform, in subtle ways that are difficult to predict and — critically — would be highly reliable. Absolutely the real deal, patch this immediately."
— Dan Kaminsky, to Axios

Go deeper

Updated 3 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Health: WHO: AstraZeneca vaccine must be evaluated on "more than a press release."
  2. Politics: McConnell temporarily halts in-person lunches for GOP caucus.
  3. Economy: Safety nets to disappear in DecemberAmazon hires 1,400 workers a day throughout pandemic.
  4. Education: U.S. public school enrollment drops as pandemic persists.
  5. Cities: Surge in cases forces San Francisco to impose curfew — Los Angeles County issues stay-at-home order, limits gatherings.
  6. Sports: NFL bans in-person team activities Monday, Tuesday due to COVID-19 surge — NBA announces new coronavirus protocols.
  7. World: London police arrest more than 150 during anti-lockdown protests — Thailand, Philippines sign deal with AstraZeneca for vaccine.

Tony Hsieh, longtime Zappos CEO, dies at 46

Tony Hsieh. Photo: FilmMagic/FilmMagic

Tony Hsieh, the longtime ex-chief executive of Zappos, died on Friday after being injured in a house fire, his lawyer told the Las Vegas Review-Journal. He was 46.

The big picture: Hsieh was known for his unique approach to management, and following the 2008 recession his ongoing investment and efforts to revitalize the downtown Las Vegas area.

Dan Primack, author of Pro Rata
15 hours ago - Economy & Business

The unicorn stampede is coming

Illustration: Annelise Capossela/Axios

Airbnb and DoorDash plan to go public in the next few weeks, capping off a very busy year for IPOs.

What's next: You ain't seen nothing yet.