Microsoft earlier this week quietly issued its first security update for one of its Windows 8/RT apps, patching a link-spoofing vulnerability in Mail.
Two weeks ago, Microsoft spelled out plans for updating its own Metro apps, the programs that run in Windows 8's and Windows RT's tile-based UI. Then, Microsoft said it would issue security updates on the fly, not just on its regularly scheduled Patch Tuesday each month.
[ Windows 8 is here, and InfoWorld covers Microsoft's new direction, the touch interface for tablet and desktop apps, the transition from Windows 7, and more in the Windows 8 Deep Dive PDF special report. | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]
It also said it would alert customers via a standing security advisory. Microsoft published that advisory for the first time Tuesday.
As security experts expected, the advisory contains little information, listing only the Mail app as the affected program and citing a CVE (Common Vulnerabilities and Exposures) identifier. It notes that the vulnerability could be used to fake a link, disguising one to a malicious site by making it appear one to a trusted website.
"Talk about bare-bones," said Andrew Storms, director of security operations at nCircle Security.
Microsoft rated the Mail flaw as "moderate," the second of four threat ratings. The company credited Alex Wolff, founder of Brown Wolff, a London-based IT consultancy, with reporting the vulnerability.
Two weeks ago, security professionals praised Microsoft for its plan to update Metro apps when they were ready, rather than wait for the next Patch Tuesday. But they panned how Microsoft said it would alert users and IT administrators.
Those opinions haven't changed. Not only did the company not bother to notify users of the update in the Microsoft Security Response Center (MSRC) blog -- as it always does with new operating system advisories and updates -- but it stuck to plans to use a single, permanent advisory for all Metro app patches.
"It's telling that someone like me, who follows Microsoft security advisories pretty closely, completely missed this [on Tuesday]," said Storms, who only noticed the Mail advisory today. "It's odd, because you would think that Microsoft would want people to know about it."
Experts had criticized the standing advisory concept, saying that as the number of updates accumulates, it would be difficult for enterprise IT and security personnel to pick out the pertinent information, search for past fixes and locate any work-arounds. "I think for the user it is enough information," said Wolfgang Kandek, CTO of Qualys. "For us, it is thin."
Although Microsoft is handling Metro app updates almost identically to vendors of other app stores -- Apple and Google, for example -- it's being held to a different standard by security pros because of the company's history of providing detailed information, mitigation moves, and automated workarounds for flaws in its traditional desktop software, such as Windows and Office. "We do hold them to a different standard, because of what they've done in the past," noted Storms.