March 29, 2013, 2:36 PM — Microsoft earlier this week quietly issued its first security update for one of its Windows 8 apps, patching a link-spoofing vulnerability in Mail.
Two weeks ago, Microsoft spelled out plans for updating its own "Modern" apps, the flat UI (user interface), touch-based programs that run in one of the two UIs of Windows 8, and the primary UI of Windows RT. Then, Microsoft said it would issue security updates on the fly, not only on its regularly-scheduled Patch Tuesday each month.
It also said it would alert customers via a standing security advisory.
Microsoft published that advisory for the first time Tuesday.
As security experts expected, the advisory contains little information, listing only the Mail app as the affected program; noting that the vulnerability could be used to fake a link, disguising one to a malicious site by making it appear one to a trusted website; and citing a CVE (Common Vulnerabilities and Exposures) identifier.
"Talk about bare bones," said Andrew Storms, director of security operations at nCircle Security, in an interview today.
Microsoft rated the Mail flaw as "moderate," the second of four threat ratings.
The company credited Alex Wolff, founder of Brown Wolff, a London-based IT consultancy, with reporting the vulnerability.
Two weeks ago, security professionals praised Microsoft for its plan to update Modern apps when they were ready, rather than wait for the next Patch Tuesday. But they panned the way Microsoft said it would alert users and IT administrators.
Those opinions haven't changed. Not only did the company not bother to notify users of the update in the Microsoft Security Response Center (MSRC) blog -- as it always does with new operating system advisories and updates -- but it stuck to plans to use a single, permanent advisory for all Modern app patches.
"It's telling that someone like me, who follows Microsoft security advisories pretty closely, completely missed this [on Tuesday]," said Storms, who like Computerworld, only noticed the Mail advisory today. "It's odd, because you would think that Microsoft would want people to know about it."
Experts had criticized the standing advisory concept, saying that as the number of updates accumulates, it would be difficult for enterprise IT and security personnel to pick out the pertinent information, search for past fixes and locate any work-arounds.