Microsoft gives app developers 180 days to fix bugs
Posted on 10 July 2013.
This month's Patch Tuesday has been a prolific one, and patches for a total of 34 vulnerabilities - six of which critical - have been made available for users. Among them is also a patch for the Windows zero-day recently unearthed by Google researcher Tavis Ormandy, which has apparently been spotted being exploited in the wild.

But the Redmond giant has also announced a change to the Security Policy for its Store Apps, in order to make the apps available on Windows Store, Windows Phone Store, Office Store, and Azure Marketplace safer for users.

"The policy, which is effective immediately, requires developers to fix security vulnerabilities in their apps and enables Microsoft to remove an app from sale if the developer does not provide an effective fix. The requirement applies to all apps available in the online stores, including Microsoft apps," the company explained.

"Developers will have a maximum of 180 days to submit an updated app for security vulnerabilities that are not under active attack and are rated Critical or Important according to the Microsoft Security Response Center rating system. The updated app must be submitted to the store within 180 days of the first report that reproduces the issue."

Microsoft considers "critical" those flaws whose exploitation could allow code execution without user interaction, and "important" those whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.

In case a vulnerability in an app is found to be exploited in the wild, Microsoft will work with the developer to have an update available as soon as possible and may remove the app from the store earlier.

"We expect that developers will address all vulnerabilities much faster than 180 days. To date, no apps have come close to exceeding this deadline," the company said. "However, Microsoft may make exceptions, such as when issues affect multiple developers or are architectural in nature, where such action is prohibited by law, or at Microsoft’s discretion."









Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals it’s our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Sep 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //