Microsoft quietly patches first Modern app for Windows 8, RT
'Talk about bare bones,' says one security professional of the scanty information Microsoft offers
Computerworld - Microsoft earlier this week quietly issued its first security update for one of its Windows 8 apps, patching a link-spoofing vulnerability in Mail.
Two weeks ago, Microsoft spelled out plans for updating its own "Modern" apps, the flat UI (user interface), touch-based programs that run in one of the two UIs of Windows 8, and the primary UI of Windows RT. Then, Microsoft said it would issue security updates on the fly, not only on its regularly-scheduled Patch Tuesday each month.
It also said it would alert customers via a standing security advisory.
Microsoft published that advisory for the first time Tuesday.
As security experts expected, the advisory contains little information, listing only the Mail app as the affected program; noting that the vulnerability could be used to fake a link, disguising one to a malicious site by making it appear one to a trusted website; and citing a CVE (Common Vulnerabilities and Exposures) identifier.
"Talk about bare bones," said Andrew Storms, director of security operations at nCircle Security, in an interview today.
Microsoft rated the Mail flaw as "moderate," the second of four threat ratings.
The company credited Alex Wolff, founder of Brown Wolff, a London-based IT consultancy, with reporting the vulnerability.
Two weeks ago, security professionals praised Microsoft for its plan to update Modern apps when they were ready, rather than wait for the next Patch Tuesday. But they panned the way Microsoft said it would alert users and IT administrators.
Those opinions haven't changed. Not only did the company not bother to notify users of the update in the Microsoft Security Response Center (MSRC) blog -- as it always does with new operating system advisories and updates -- but it stuck to plans to use a single, permanent advisory for all Modern app patches.
"It's telling that someone like me, who follows Microsoft security advisories pretty closely, completely missed this [on Tuesday]," said Storms, who like Computerworld, only noticed the Mail advisory today. "It's odd, because you would think that Microsoft would want people to know about it."
Experts had criticized the standing advisory concept, saying that as the number of updates accumulates, it would be difficult for enterprise IT and security personnel to pick out the pertinent information, search for past fixes and locate any work-arounds.
"I think for the end-user it is enough information," said Wolfgang Kandek, CTO of Qualys, in an instant messaging interview today. "For us, it is thin."
Although Microsoft is handling Modern app updates almost identically to vendors of other app stores -- Apple and Google, for example -- it's being held to a different standard by security pros because of the company's history of providing detailed information, mitigation moves and automated workarounds for flaws in its traditional desktop software, such as Windows and Office.
"We do hold them to a different standard, because of what they've done in the past," agreed Storms.
The Mail app's update was part of a larger refresh of several Windows 8 and Windows RT core apps that included Calendar and Message. The update to Calendar was notable for pulling the synchronization plug with Google Apps for Business, a rival to Microsoft's Office suite.
Users and administrators who want to keep abreast of Modern app updates should sign up for Microsoft's email alerts, or subscribe to their RSS feeds, from the company's website.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Microsoft plans to patch critical under-attack IE bug next week
- Microsoft reaches RTM milestone for Windows 8.1 update
- OS upgrades: Cheap is better than pricey, free is better than cheap
- No special treatment for China on XP, patches end April 8 in the PRC, too
- Microsoft ships Office 2013 SP1 the old-fashioned way
- Microsoft's 'go-low' play puts Windows revenue on the line
- Steven J. Vaughan-Nichols: Windows 7 lives!
- Users mock Microsoft for asking their help on XP-to-Windows 8.1 upgrades
- Microsoft concedes Windows 8.1 needs more for mouse, keyboard customers
- Microsoft tries to jumpstart cheap Windows devices with license price cut
Read more about Mobile Apps in Computerworld's Mobile Apps Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Performance Management: The Mobile App Development Playbook This comprehensive 16 page Forrester Research, Inc. report, authored by Jeffrey Hammond, Forrester VP and Principal Analyst, details a number of valuable, commonly...
- New Problems Require Innovative Solutions The mobile market is expected to be worth $25 billion by 2015
- Getting Agnostic about Mobile Devices The idea of being able to interact with customers, prospects, and stay attuned to competitive pressures is not new, but the velocity at...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Mobile Apps White Papers | Webcasts