Microsoft has rolled out a new
security policy that will require third-party developers to patch
vulnerabilities in order to keep their software available on the
company's online markets.
The company said that its new policy
would apply to developers offering products for the Windows Store, Azure
Marketplace, Office Store and Windows Phone Store services. Under the
plan, developers will have 180 days from being notified by Microsoft of a
critical or important security issue.
While the severity of a security flaw
varies from case to case, Microsoft generally reserves the 'critical'
label for remote code execution vulnerabilities that can be exploited
with little or no user notification. Flaws rated 'important' often
include remote code execution, denial of service and elevation of
privilege vulnerabilities.
The company noted that in cases where a
flaw is being actively targeted in the wild it may remove the software
immediately and work with the developer to patch the vulnerability.
The policy comes alongside the July
edition of the company's monthly security update. The Patch Tuesday
release includes six fixes for critical vulnerabilities in Microsoft's
own platforms including Internet Explorer, Windows, .NET and
Silverlight.
Microsoft said that two of the updates
should be considered a higher priority for administrators to test and
deploy. The update for the Kernel Mode Driver will address a flaw in
Windows, while the Internet Explorer patch addresses a number of
security issues in Microsoft's web browser.
“This continues the trend we’ve
seen in recent Patch Tuesdays with Internet Explorer receiving fixes for
lots of memory corruption vulnerabilities,” explained Marc Maiffret,
chief technology officer at security firm BeyondTrust.
“These vulnerabilities will be used
in drive-by attacks where attackers set up malicious web pages and use
social engineering tactics to draw users to the malicious pages. It is
imperative that this patch gets rolled out as soon as possible.”
Other updates in the July release
include critical fixes for Office, Visual Studio, Lync and a number of
Windows components. A seventh bulletin, rated as 'important' by
Microsoft, addresses an elevation of privilege error in the Microsoft
Security Software package
No comments:
Post a Comment