Microsoft gives app developers 180 days to fix bugs
This month’s Patch Tuesday has been a prolific one, and patches for a total of 34 vulnerabilities – six of which critical – have been made available for users. Among them is also a patch for the Windows zero-day recently unearthed by Google researcher Tavis Ormandy, which has apparently been spotted being exploited in the wild.
But the Redmond giant has also announced a change to the Security Policy for its Store Apps, in order to make the apps available on Windows Store, Windows Phone Store, Office Store, and Azure Marketplace safer for users.
“The policy, which is effective immediately, requires developers to fix security vulnerabilities in their apps and enables Microsoft to remove an app from sale if the developer does not provide an effective fix. The requirement applies to all apps available in the online stores, including Microsoft apps,” the company explained.
“Developers will have a maximum of 180 days to submit an updated app for security vulnerabilities that are not under active attack and are rated Critical or Important according to the Microsoft Security Response Center rating system. The updated app must be submitted to the store within 180 days of the first report that reproduces the issue.”
Microsoft considers “critical” those flaws whose exploitation could allow code execution without user interaction, and “important” those whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.
In case a vulnerability in an app is found to be exploited in the wild, Microsoft will work with the developer to have an update available as soon as possible and may remove the app from the store earlier.
“We expect that developers will address all vulnerabilities much faster than 180 days. To date, no apps have come close to exceeding this deadline,” the company said. “However, Microsoft may make exceptions, such as when issues affect multiple developers or are architectural in nature, where such action is prohibited by law, or at Microsoft’s discretion.”