News

Microsoft Institutes Strict New Policy on App Vulnerabilities

Developers have 180 days -- or less, in many cases -- to fix apps before they're pulled.

If it were a Western, Microsoft's new policy on application security would be the equivalent of a stranger walking into a saloon and announcing, "There's a new sheriff in town."

And developers had better heed the lawman, or risk having their apps lynched.

That was the effect of the company's just-released regulation that developers with app vulnerabilities have a maximum of 180 days to fix the problem, or have the program pulled from any of Microsoft's app stores, including the Windows Store, Windows Phone Store, Office Store and Azure Marketplace.

The warning, from the Microsoft Security Response Center, is written in atypically blunt language:

"The new policy is part of a Microsoft effort to help ensure that customers can have confidence in the security of the software that is available in our online stores. This confidence includes trusting that developers will respond appropriately when a security vulnerability is discovered."

The rules apply not only to third-party apps, but Microsoft-created apps as well. And Microsoft emphasized that 180 days is the latest deadline; apps may be pulled from their respective stores immediately if the vulnerability is serious enough. Redmond "will exercise its discretion on a case-by-case basis," the notice says. Some of the reasons that could result in an app being yanked include issues that "affect multiple developers or are architectural in nature."

Even the six-month timeframe is pushing Microsoft's tolerance, according to the post: "We expect that developers will address all vulnerabilities much faster than 180 days."

The vulnerabilities requiring immediate attention are those rated "Critical" or "Important" in Microsoft's Severity Rating System. The system has four tiers; below those two are "Moderate" and Low". A Critical flaw is one that could allow code execution without the user doing anything. An Important vulnerability, as specified in the system, "could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources."

Dustin Childs, the group manager for response communications for Microsoft Trustworthy Computing, added in his own blog entry announcing the new requirements that if a developer absolutely needs more than 180 days to fix a problem, that the company will work with them on it. The key in such a situation, it would appear, is working in concert with Microsoft.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube