Microsoft's new rule on application bug fixes is flawed itself, as some vulnerabilities can take longer than 180 days to fix.
Speaking to SC Magazine, Mark Raeburn, CEO of Context Information Security, said that the problem is that vulnerabilities will be found in technologies that require a complete rebuild and "that can take years, and in some cases it has".
He said: “You cannot say that it will take one, ten or a thousand days, if it is only one bug you will be able to fix it this week. If it is longer, then it can be more long-winded, but people should be working with vendors to fix problems and they want to fix things. All bug fixing is part of penetration testing.”
Microsoft announced this week that developers will have to submit an updated application to Microsoft within 180 days of being notified of a critical or important severity issue. As part of a new policy around handling vulnerabilities in apps that are available through the Windows Store, Windows Phone Store, Office Store and Azure Marketplace, developers will be required to fix security vulnerabilities in their apps. Microsoft will be able to remove an app from sale if the developer does not provide an effective fix.
It said in a statement that no apps have come close to exceeding this deadline, and while it realised that there may be cases where a developer needs more than 180 days, it would work with the developer to get an updated app replacement as soon as possible.
“So far, we have had excellent cooperation from developers in fixing vulnerabilities in their programs. The policy change is just one more step that we are taking to help ensure that vulnerabilities are addressed appropriately,” it said.
Robert Hansen, director of product management for WhiteHat Security, said: “I think it is a natural response to increasing pressure to reduce the lifespan of vulnerabilities in the Microsoft ecosystem. Using the app store type methodology of a walled garden, they can begin to mediate how apps should behave.
“It's a shame they don't apply the same restrictions on things like Flash and Java, which tend to be much more regularly exploited than traditional desktop apps. It's also potentially worth noting that the time frames differ between Google's disclosure policy and Microsoft's takedown policy by months.”