We've mentioned it on the Movable Type product site, but we're proud that MT has a history of being one of the most secure publishing platforms around. So a big part of our effort in creating Movable Type 4.2 has been around ensuring that it's our most secure release ever. And along the way, we've made some changes that will even improve security for older versions of MT.
Today we release Movable Type 4.2 Release Candidate 5, the last planned release candidate for this version of Movable Type before its final release, and the culmination of the largest security evaluation effort ever for our platform, and possibly for any installable blogging platform.
The diligent work of our team, joined by community contributors around the world, has found a few areas where we've been able to make Movable Type even more secure. In the case of Movable Type 4.2, that means its forthcoming final release will be the most secure version of MT ever. In the case of earlier releases, it means we'll be providing updates to remedy these potential security vulnerabilities. It's important to note that there are no known exploits of these issues, but we've chosen to preemptively address them. Here's the types of issues we found:
- Request Forgery - This vulnerability allows someone to intercept a request to an application over the wire and attempt to replay the request after modifying it some way. This makes it possible for them to perform a privileged action in your system without your knowledge.
For the most part Movable Type already protected against these vulnerabilities. What our security audit uncovered were instances in which we weren't being consistent in following best practices for security across the entire application. These issues can also affect previous versions of Movable Type, so we are also issuing updates to all versions of Movable Type going back to MT 3.36, including:
- Movable Type 3.36, 4.01 and 4.13
- Movable Type Enterprise 1.55
- Movable Type Community Solution 1.51
All of this work means that we're about to release significant new security updates to all supported versions of the Movable Type platform. In order to deliver these fixes as rapidly as possible, and to support your ability to test these fixes in your own environment, we are providing test builds of Movable Type which incorporate the new security patches. These builds are provided as a temporary measure while we complete our full suite of testing and verification processes for every affected version of Movable Type. We anticipate having final versions of these releases around August 22, 2008.
To the best of our knowledge there have been no known exploits of these vulnerabilities in the wild and no customers have been affected by any of the vulnerabilities addressed by this release. Here's the Update Advisor, which summarizes the issues we found and provides a guide for updating your installation of Movable Type.
Movable Type Update Advisor: Versions 3.37, 4.01c and 4.14:
- Release Type: Security Release. None of the fixed vulnerabilities has been exploited in the wild.
- Mandatory? This is a mandatory update for all users of Movable Type 3.36 and later.
- Performance Implications: None.
- Plugins Affected: None.
- Templates Affected: No changes in your templates are required.
- System Requirements: This release has no new or additional system requirements.
- Licensing considerations: None. MT 3.37, MT 4.01c and MT 4.13 are free updates for users of any version of MT3 and MT4 respectively.
- Upgrade Fatigue: No updates are scheduled until the release of MT 4.2, which is currently in the final stages of release. There will be no further releases before MT 4.2 unless significant security issues are found which require additional 4.x releases. It has been 46 days since the last recommended update to MT4.
Provisional builds are availble for downloads from movabletype.org for MTOS and Movable Type Commercial.