Security pros pan and praise Microsoft's plans on updating Modern apps in Windows 8, RT
Experts like the on-the-fly updating of apps, but the alerts ... not so much
Computerworld - Microsoft will issue security fixes for its Windows Store apps on the fly, not just on the familiar monthly Patch Tuesday, the company said this week.
At the same time, Microsoft spelled out how it will alert customers of security updates.
Windows Store apps are those written for the tile-style Modern user interface (UI) -- formerly called "Metro" -- in Windows 8 and Windows RT, the scaled-down version strictly for tablets. Those apps, such as the one that Twitter launched yesterday, are distributed only through the Windows Store, just as iPad apps are available only on Apple's iOS App Store.
App patches will be released whenever Microsoft has them ready, the company said, a departure from a long-established practice that has earned "Patch Tuesday" a place in the security lexicon: Microsoft issues security updates on the second Tuesday of each month. Only emergency updates, dubbed "out-of-band," appear on other days.
"App security updates can be delivered on days other than the second Tuesday of the month," stated an explanatory page on the Microsoft Security Response Center's (MSRC) website.
"Providing security updates to these apps more frequently will allow us to add new functionality, fix issues and improve security," argued Mike Reavey, senior director of the Microsoft Security Response Center (MSRC), on the group's blog.
Security experts applauded Microsoft for that.
"This moves normal PCs closer to phones and tablets as far as updates are concerned, not controlled by IT anymore," said Wolfgang Kandek, CTO of Qualys. "Instead [the apps are] generically kept as updated as possible. The more PCs we can replace by tablets and phones, the safer the network will be."
But they weren't as happy with the way Microsoft was alerting customers of security issues.
Microsoft will create a single, perpetual security advisory that will list every update -- both those downloaded from the Store as well as the ones bundled with Windows 8 and RT, like Mail and Messaging -- that in turn will offer links to individual support, or Knowledge Base, documents. The latter will spell out each individual update's contents.
"Windows Store app security updates will be documented in one security advisory, which will have a permanent URL and will be revised when new issues are added," said Dustin Childs, group manager of Microsoft's Trustworthy Computing group, in an email reply to questions. "A unique Microsoft Knowledge Base article number will accompany each issue, in order to provide a transparent and unique reference for individual security updates."
But the standing advisory got a pan from the pros.
"This is the wrong tactic," said Andrew Storms, director of security operations at nCircle, in an interview using instant messaging. "The single advisory method is confusing. It's difficult to keep track of what's been updated, what was updated in each release, and when. And in the event they issue mitigation guidance for a specific bug, it will be even more difficult to go and find the information. Considering all the apps they distribute, how would one neatly organize all that info in a single advisory?"
- Microsoft launches toolset for capturing 'ambient intelligence'
- Microsoft kicks off sales of lower-priced Office subscription in bid for iPad dollars
- At Build, mobility gets a boost with universal Windows apps
- Microsoft gets strategic with its Enterprise Mobility Suite
- Microsoft sketches out final Windows XP security updates for next week
- Microsoft teases touch-first Office for Windows
- Cortana's voice is synthesized in part from an AI character in Halo
- Hell freezes over: Microsoft makes Windows free for some devices
- Windows Phone 8.1 confirmed, with Cortana digital assistant
- Ex-Microsoft employee pleads guilty to trade secret theft
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts