Microsoft
earlier this week quietly
issued its first security
update for one of its Windows
8 apps, patching a link-
spoofing vulnerability in Mail.
Two weeks ago, Microsoft
spelled out plans for updating
its own "Modern" apps, the
flat UI (user interface), touch-
based programs that run in
one of the two UIs of
Windows 8, and the primary
UI of Windows RT. Then,
Microsoft said it would issue
security updates on the fly,
not only on its regularly-
scheduled Patch Tuesday
each month.
It also said it would alert
customers via a standing
security advisory.
Microsoft published that
advisory for the first time
Tuesday.
As security experts expected,
the advisory contains little
information, listing only the
Mail app as the affected
program; noting that the
vulnerability could be used to
fake a link, disguising one to
a malicious site by making it
appear one to a trusted
website; and citing a CVE
(Common Vulnerabilities and
Exposures) identifier.
"Talk about bare bones," said
Andrew Storms, director of
security operations at nCircle
Security, in an interview
today.
Microsoft rated the Mail flaw
as "moderate," the second of
four threat ratings.
The company credited Alex
Wolff, founder of Brown Wolff ,
a London-based IT
consultancy, with reporting
the vulnerability.
Two weeks ago, security
professionals praised
Microsoft for its plan to
update Modern apps when
they were ready, rather than
wait for the next Patch
Tuesday. But they panned the
way Microsoft said it would
alert users and IT
administrators.
Those opinions haven't
changed. Not only did the
company not bother to notify
users of the update in the
Microsoft Security Response
Center (MSRC) blog -- as it
always does with new
operating system advisories
and updates -- but it stuck to
plans to use a single,
permanent advisory for all
Modern app patches.
"It's telling that someone like
me, who follows Microsoft
security advisories pretty
closely, completely missed
this [on Tuesday]," said
Storms, who like
Computerworld , only noticed
the Mail advisory today. "It's
odd, because you would think
that Microsoft would want
people to know about it."
Experts had criticized the
standing advisory concept,
saying that as the number of
updates accumulates, it
would be difficult for
enterprise IT and security
personnel to pick out the
pertinent information, search
for past fixes and locate any
work-arounds.
"I think for the end-user it is
enough information," said
Wolfgang Kandek, CTO of
Qualys, in an instant
messaging interview today.
"For us, it is thin."
Although Microsoft is
handling Modern app updates
almost identically to vendors
of other app stores -- Apple
and Google, for example --
it's being held to a different
standard by security pros
because of the company's
history of providing detailed
information, mitigation moves
and automated workarounds
for flaws in its traditional
desktop software, such as
Windows and Office.
"We do hold them to a
different standard, because of
what they've done in the
past," agreed Storms.
The Mail app's update was
part of a larger refresh of
several Windows 8 and
Windows RT core apps that
included Calendar and
Message. The update to
Calendar was notable for
pulling the synchronization
plug with Google Apps for
Business, a rival to
Microsoft's Office suite.
Users and administrators who
want to keep abreast of
Modern app updates should
sign up for Microsoft's email
alerts, or subscribe to their
RSS feeds, from the
company's website.
The Windows Store's update
for Mail does not even
mention the fact that a
security vulnerability has
been patched in the app.
No comments:
Post a Comment