Patch Tuesdays are generally considered a time when Microsoft releases updates to close security holes in the Windows operating system – and that will continue to be the case. However, Microsoft has come to a unique time where they can work diligently to secure the operating system, yet have the entire computer or device remain vulnerable due to security issues with apps downloaded from the Windows Store. As you should be aware by now, this issue has been raised on other platforms before with Android becoming one of the most vulnerable systems due to Google's poor application management policies.
Fortunately for Microsoft, iOS and Android were the guinea pigs and Microsoft is able to learn from the mistakes and issue updated policies to help protect users of their operating systems and devices.
Today, Microsoft has announced a new security policy for Store apps, which includes apps from the Windows Store, Windows Phone Store, Office Store, and Azure Marketplace. When vulnerabilities are found in submitted applications, Microsoft will give the developer 180 days to submit an updated app. If the developer cannot submit a secure app within 180 days, the app will be removed from the Store and Microsoft will work directly with the developer to get a replacement app submitted as soon as possible.
In the event an app is found to have a vulnerability that is already being exploiting in the wild, Microsoft will remove the app from the Store and start immediately to help the developer update the app.
Microsoft is also requesting that if anyone identifies a vulnerability in a Store application that they be contacted directly at: [email protected]