Microsoft has rolled out a new security policy that will require third-party developers to patch vulnerabilities in order to keep their software available on the company's online markets.
The company said that its new policy would apply to developers offering products for the Windows Store, Azure Marketplace, Office Store and Windows Phone Store services. Under the plan, developers will have 180 days from being notified by Microsoft of a critical or important security issue.
While the severity of a security flaw varies from case to case, Microsoft generally reserves the 'critical' label for remote code execution vulnerabilities that can be exploited with little or no user notification. Flaws rated 'important' often include remote code execution, denial of service and elevation of privilege vulnerabilities.
The company noted that in cases where a flaw is being actively targeted in the wild it may remove the software immediately and work with the developer to patch the vulnerability.
The policy comes alongside the July edition of the company's monthly security update. The Patch Tuesday release includes six fixes for critical vulnerabilities in Microsoft's own platforms including Internet Explorer, Windows, .NET and Silverlight.
Microsoft said that two of the updates should be considered a higher priority for administrators to test and deploy. The update for the Kernel Mode Driver will address a flaw in Windows, while the Internet Explorer patch addresses a number of security issues in Microsoft's web browser.
“This continues the trend we’ve seen in recent Patch Tuesdays with Internet Explorer receiving fixes for lots of memory corruption vulnerabilities,” explained Marc Maiffret, chief technology officer at security firm BeyondTrust.
“These vulnerabilities will be used in drive-by attacks where attackers set up malicious web pages and use social engineering tactics to draw users to the malicious pages. It is imperative that this patch gets rolled out as soon as possible.”Other updates in the July release include critical fixes for Office, Visual Studio, Lync and a number of Windows components. A seventh bulletin, rated as 'important' by Microsoft, addresses an elevation of privilege error in the Microsoft Security Software package