Security pros pan and praise Microsoft's plans on updating Modern apps in Windows 8, RT

Experts like the on-the-fly updating of apps, but the alerts ... not so much

Microsoft will issue security fixes for its Windows Store apps on the fly, not just on the familiar monthly Patch Tuesday, the company said this week.

At the same time, Microsoft spelled out how it will alert customers of security updates.

Windows Store apps are those written for the tile-style Modern user interface (UI) -- formerly called "Metro" -- in Windows 8 and Windows RT, the scaled-down version strictly for tablets. Those apps, such as the one that Twitter launched yesterday, are distributed only through the Windows Store, just as iPad apps are available only on Apple's iOS App Store.

App patches will be released whenever Microsoft has them ready, the company said, a departure from a long-established practice that has earned "Patch Tuesday" a place in the security lexicon: Microsoft issues security updates on the second Tuesday of each month. Only emergency updates, dubbed "out-of-band," appear on other days.

"App security updates can be delivered on days other than the second Tuesday of the month," stated an explanatory page on the Microsoft Security Response Center's (MSRC) website.

"Providing security updates to these apps more frequently will allow us to add new functionality, fix issues and improve security," argued Mike Reavey, senior director of the Microsoft Security Response Center (MSRC), on the group's blog.

Security experts applauded Microsoft for that.

"This moves normal PCs closer to phones and tablets as far as updates are concerned, not controlled by IT anymore," said Wolfgang Kandek, CTO of Qualys. "Instead [the apps are] generically kept as updated as possible. The more PCs we can replace by tablets and phones, the safer the network will be."

But they weren't as happy with the way Microsoft was alerting customers of security issues.

Microsoft will create a single, perpetual security advisory that will list every update -- both those downloaded from the Store as well as the ones bundled with Windows 8 and RT, like Mail and Messaging -- that in turn will offer links to individual support, or Knowledge Base, documents. The latter will spell out each individual update's contents.

"Windows Store app security updates will be documented in one security advisory, which will have a permanent URL and will be revised when new issues are added," said Dustin Childs, group manager of Microsoft's Trustworthy Computing group, in an email reply to questions. "A unique Microsoft Knowledge Base article number will accompany each issue, in order to provide a transparent and unique reference for individual security updates."

But the standing advisory got a pan from the pros.

"This is the wrong tactic," said Andrew Storms, director of security operations at nCircle, in an interview using instant messaging. "The single advisory method is confusing. It's difficult to keep track of what's been updated, what was updated in each release, and when. And in the event they issue mitigation guidance for a specific bug, it will be even more difficult to go and find the information. Considering all the apps they distribute, how would one neatly organize all that info in a single advisory?"

Kandek agreed. "I'd prefer to have more detailed individual advisories that have enough depth for us to work with," he said.

Storms also knocked Microsoft's plan for not giving advance notice, as the company does currently with both the regularly-scheduled Patch Tuesday updates and those issued out-of-band. Not that IT or corporate security staffs would be able to do much more than warn their users of a security risk and remind them that an update is available to install.

Although IT administrators can control which apps are installed from the Windows Store using AppLocker -- a tool deployed via Windows Server that restricts application installation on Windows 8 Enterprise, a volume license-only edition of the OS -- and even trigger automatic downloads of updates, the update's installation must be initiated by the user.

Windows RT tablets cannot be managed at all, since they cannot join a domain.

At best, enterprise IT departments must leave the most important step -- installing an update -- to the individual. That runs counter to Microsoft's long-standing belief that the less asked of users, the safer they are, as Windows' own Automatic Updates contests.

But the update and security model Microsoft's applied to Modern apps is the same consumer-centric one first promulgated by Apple in its app ecosystems: Users control updates, and the first line of security is the curated store. And while security experts may appreciate the latter, they don't much care for the former.

That could change.

"I think we will see more control functionality in the app stores soon," predicted Kandek. "Maybe close to what Apple has been doing: blocking certain plug-ins from running if they are not updated."

Because Microsoft has yet to issue a security update for any of its Modern apps -- although the Wednesday announcement hints that one may be imminent -- it has not yet created the perpetual advisory which will list fixed apps. When it does, the alert will appear on the company's security advisories page, which shows the five newest warnings, and its advisory archive.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleMicrosoftsecurityWindowssoftwaretwitterMalware and Vulnerabilitiesoperating systems

More about Andrew Corporation (Australia)AppleMicrosoftnCircleQualysTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts