Microsoft Orders App Developers to Fix Security Issues within 6 Months

Separately, Microsoft released seven security bulletins, six rated critical, as part of its regular security update cycle. 

The new developer policy affects apps available through the Windows Store, Windows Phone Store, Office Store and Azure Marketplace. Starting this week, developers will be required to submit an updated app within 180 days of being notified of a critical or important-level severity security issue. In the rare cases where a developer needs more than 180 days, the company will work with the developer to get an updated app replacement as soon as possible.

“This assumes the app is not currently being exploited in the wild”, said Dustin Childs, group manager for Microsoft Trustworthy Computing, in a blog. “In those cases, we’ll work with the developer to have an update available as soon as possible and may remove the app from the store earlier.”

He added, “We can’t directly update third-party apps that you install from the Windows Store if they have a problem. But we can influence when they get updated.”

Applications continue to pose security risks for enterprises. According to the latest (ISC)² Global Information Security Workforce Study (GISWS), application vulnerabilities continue to be the biggest concern for security professionals, with 69% of participants indicating that it's the No.1 security threat.

Meanwhile, the seven security updates address 34 vulnerabilities in Microsoft Windows, Internet Explorer, .NET Framework, Silverlight, GDI+ and Windows Defender. Childs recommended that IT managers focus on MS13-053 and MS13-055 first.

The MS13-053 security update resolves two publicly disclosed and six privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. It’s already being exploited: CVE-2013-3660 being used to achieve elevation of privilege in limited, targeted attacks.

MS13-055, meanwhile, is a cumulative update for Internet Explorer. It resolves 17 issues in Internet Explorer that could allow remote code execution if a customer views a specially-crafted webpage using the browser. An attacker who successfully exploited these vulnerabilities could gain the same rights as the logged-on user. This security update is rated critical for all versions of Internet Explorer, on all supported releases of Microsoft Windows.

“These issues were privately disclosed and we have not detected any attacks or customer impact,” Childs said.

What’s Hot on Infosecurity Magazine?