Feeds

Redmond to skip Patch Tuesday for Windows Store apps

All updates, all the time for touchy-feely tiles

Top three mobile application threats

Microsoft has announced that it will ship fixes and updates for the Windows Store apps that come bundled with Windows 8 and Windows RT as soon as they are available, rather than issuing them in batches as it does for the rest of Windows.

"We are committed to adapting our policies as the world evolves and with the new Windows Store, we evaluated how to best release security updates for Windows Store apps," Mike Reavey of Microsoft's Trustworthy Computing division wrote in a blog post on Tuesday. "Our goal is to have a quick, transparent and painless security update process."

In the past, Microsoft has held off on releasing new Windows patches and bug fixes until the second Tuesday of each month, resulting in a regular mass-update event that has come to be known as "Patch Tuesday."

The company often rolls patches for other important software into the Patch Tuesday bundle, as well, such as Office updates, fixes for the Flash Player component of Internet Explorer 10, and firmware updates for Surface devices.

Only in unusual cases will Microsoft release a patch outside of its normal update cycle, such as when a security vulnerability is being actively exploited in the wild.

In the case of Windows Store apps, however, Microsoft now says that it will publish new updates as soon as they are ready – including updates for the Windows Store apps that come bundled with Windows 8 and Windows RT, such as Calendar, Mail, Maps, Messaging, People, Weather, and so on.

"The Windows Store introduces a model in which regular updates are a normal part of using software. Apps are updated frequently to add new functionality, fix bugs, and improve security," Redmond's new policy statement states. "The operative expectation: quick and painless updates."

Your humble Reg hack notes that the potential problem with this plan is that it's always possible for the latest patch to introduce new problems that weren't there before. But on that score, Microsoft says not to worry, because the Windows Store programming model is inherently better than what has come before.

"Improved Application Programming Interface (API) and security models help developers avoid introducing new bugs in updates," the new security policy helpfully explains.

Only in the rare case that a security flaw affects both a Windows Store app and another piece of traditional desktop software simultaneously will Microsoft consider delaying the fix for the Windows Store app until Patch Tuesday – and even then, it will release the patch immediately if the vulnerability is serious enough.

Microsoft says it will maintain a security bulletin with a unique Knowledge Base (KB) number for each of its Windows Store apps, and the bulletin will be updated as each new patch is delivered to customers.

Otherwise, it says, this change in its update policy for Windows Store apps will have no effect on how it issues patches for the other components of Windows, which it still plans to ship on Patch Tuesdays, except in the event of emergencies.

"Microsoft is committed to preserving the attributes valued in our traditional update policy while adapting security update releases to meet broader customer expectations around apps available through the Windows Store," the company said in a statement. ®

Seven Steps to Software Security

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.