MSFT to developers: Fix Windows app security flaws in 180 days or be kicked from stores

App developers have no more than 180 days to fix security flaws or Microsoft will kick the vulnerable app from the Windows Store, Windows Phone Store, Office Store, and Azure Marketplace. Microsoft’s new security policy for apps states:

Under the policy, developers will have a maximum of 180 days to submit an updated app for security vulnerabilities that are not under active attack and are rated Critical or Important according to the Microsoft Security Response Center rating system. The updated app must be submitted to the store within 180 days of the first report that reproduces the issue. Microsoft reserves the right to take swift action in all cases, which may include immediate removal of the app from the store, and will exercise its discretion on a case-by-case basis.

Microsoft will apply the same policy to its own software. “I’ve never seen a vendor state that they’d pull their own applications, so that deserves kudos,” said Tyler Reguly, the manager of security research at Tripwire.

Microsoft Security Response Center (MSRC) expects that developers will patch vulnerabilities faster than the allotted 180 days, adding that “no apps have come close to exceeding this deadline.”

While there is no small print if you’re looking for the “catch,” there is a “however.” MSRC added that “Microsoft may make exceptions, such as when issues affect multiple developers or are architectural in nature, where such action is prohibited by law, or at Microsoft’s discretion.”

“Ugly” July Patch Tuesday release: Big fixes for critical holes in IE, Windows and Fonts

That new security policy for apps was released at the same time as July’s Patch Tuesday. “July is one of the uglier releases we’ve seen from Microsoft this year. To say that all Microsoft products are affected and everything is affected critically is not an overstatement,” according to Lumension security and forensic analyst Paul Henry.

Microsoft issued six critical and one important bulletin covering Windows OS, Internet Explorer, Office, .NET Framework, Silverlight, Office, Visual Studio, Lync and Windows Defender. MS13-055 addresses 17 vulnerabilities in IE 6 – 10 and MSRC expects to see “reliable exploits developed within the next 30 days.”

In total, 34 vulnerabilities were patched. This includes the “most dangerous” vulnerability discovered by Google engineer Tavis Ormandy who accused Microsoft of treating “vulnerability researchers with great hostility.” MS13-053 is rated “critical for all supported releases of Microsoft Windows” and is currently being exploited via a Metasploit module.

Half of the critical bulletins, MS13-052, MS13-053 and MS13-054 deal with a vulnerability in how Microsoft software handles the rendering of TrueType fonts. “Fonts have become really complicated,” said Wolfgang Kandek, CTO of Qualys. “There is real processing going on when you print a character, and that complexity can be attacked.”

Migrating businesses off XP and onto “Modern”

Although Windows XP still had about 37.17% market share of all desktop operating systems as of June 2013, there will be no more patches or updates as of April 8, 2014. Microsoft’s fiscal year 2014 began in July 2013, with the top Windows priority pegged as moving all businesses off XP. To reach that goal, Microsoft and its partners must “migrate 586,000 PCs per day over the next 273 days in order to get rid of all PCs running Windows XP.”

Erwin Visser, General Manager of Windows Commercial, dangled the golden carrot in front of partners by claiming “there’s an estimated $32 billion service opportunity for them in moving users off XP, given that companies are spending an average of $200 per PC to move off XP to Windows 7 or Windows 8.”

Image credit: TechFlash Todd via ResourceSpace

Like this? Here’s more posts:

• You might be a terrorist if…you complain about your tap water
• Breaking down latest leaked PRISM slides claiming U.S. ‘bugged EU offices’
• Surveillance court ‘secret’ rulings slaughter Fourth Amendment to help NSA spy
• Govt’s $2.7 million KILL IT WITH FIRE approach to malware: Destroy all hardware
• Happy Independence Day: Stop Watching Us, Restore the Fourth Amendment
• Hackers can wipe or steal data from security holes in 300,000 servers
• Hacking and attacking automated homes
• Former CIA, NSA director sounds off on PRISM, spying tools
• Rule of 7 applied to domestic surveillance
• Microsoft Research: MoodScope, a context-aware smartphone to sense and share your mood

Follow me on Twitter @PrivacyFanatic