Microsoft Subnet An independent Microsoft community View more

MSFT to developers: Fix Windows app security flaws in 180 days or be kicked from stores

Roundup: Microsoft has a new security policy for apps, Patch Tuesday was particularly "ugly," and Microsoft gets serious about migrating businesses off XP.

App developers have no more than 180 days to fix security flaws or Microsoft will kick the vulnerable app from the Windows Store, Windows Phone Store, Office Store, and Azure Marketplace. Microsoft's new security policy for apps states:

Under the policy, developers will have a maximum of 180 days to submit an updated app for security vulnerabilities that are not under active attack and are rated Critical or Important according to the Microsoft Security Response Center rating system. The updated app must be submitted to the store within 180 days of the first report that reproduces the issue. Microsoft reserves the right to take swift action in all cases, which may include immediate removal of the app from the store, and will exercise its discretion on a case-by-case basis.

Microsoft new security policy for apps
Microsoft will apply the same policy to its own software. "I've never seen a vendor state that they'd pull their own applications, so that deserves kudos," said Tyler Reguly, the manager of security research at Tripwire.

Microsoft Security Response Center (MSRC) expects that developers will patch vulnerabilities faster than the allotted 180 days, adding that "no apps have come close to exceeding this deadline."

While there is no small print if you're looking for the "catch," there is a "however." MSRC added that "Microsoft may make exceptions, such as when issues affect multiple developers or are architectural in nature, where such action is prohibited by law, or at Microsoft's discretion."

"Ugly" July Patch Tuesday release: Big fixes for critical holes in IE, Windows and Fonts

That new security policy for apps was released at the same time as July's Patch Tuesday. "July is one of the uglier releases we've seen from Microsoft this year. To say that all Microsoft products are affected and everything is affected critically is not an overstatement," according to Lumension security and forensic analyst Paul Henry.

Microsoft issued six critical and one important bulletin covering Windows OS, Internet Explorer, Office, .NET Framework, Silverlight, Office, Visual Studio, Lync and Windows Defender. MS13-055 addresses 17 vulnerabilities in IE 6 - 10 and MSRC expects to see "reliable exploits developed within the next 30 days."

In total, 34 vulnerabilities were patched. This includes the "most dangerous" vulnerability discovered by Google engineer Tavis Ormandy who accused Microsoft of treating "vulnerability researchers with great hostility." MS13-053 is rated "critical for all supported releases of Microsoft Windows" and is currently being exploited via a Metasploit module.

Half of the critical bulletins, MS13-052MS13-053 and MS13-054 deal with a vulnerability in how Microsoft software handles the rendering of TrueType fonts. "Fonts have become really complicated," said Wolfgang Kandek, CTO of Qualys. "There is real processing going on when you print a character, and that complexity can be attacked."

Migrating businesses off XP and onto "Modern"

Although Windows XP still had about 37.17% market share of all desktop operating systems as of June 2013, there will be no more patches or updates as of April 8, 2014. Microsoft's fiscal year 2014 began in July 2013, with the top Windows priority pegged as moving all businesses off XP. To reach that goal, Microsoft and its partners must "migrate 586,000 PCs per day over the next 273 days in order to get rid of all PCs running Windows XP."

Erwin Visser, General Manager of Windows Commercial, dangled the golden carrot in front of partners by claiming "there's an estimated $32 billion service opportunity for them in moving users off XP, given that companies are spending an average of $200 per PC to move off XP to Windows 7 or Windows 8."

Image credit: TechFlash Todd via ResourceSpace

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.