Not a developer? Go to MovableType.com

News

Movable Type 4.2 RC5 and Security Updates

By Byrne Reese
Posted August 8, 2008, in Security.

We've mentioned it on the Movable Type product site, but we're proud that MT has a history of being one of the most secure publishing platforms around. So a big part of our effort in creating Movable Type 4.2 has been around ensuring that it's our most secure release ever. And along the way, we've made some changes that will even improve security for older versions of MT.

Today we release Movable Type 4.2 Release Candidate 5, the last planned release candidate for this version of Movable Type before its final release, and the culmination of the largest security evaluation effort ever for our platform, and possibly for any installable blogging platform.

The diligent work of our team, joined by community contributors around the world, has found a few areas where we've been able to make Movable Type even more secure. In the case of Movable Type 4.2, that means its forthcoming final release will be the most secure version of MT ever. In the case of earlier releases, it means we'll be providing updates to remedy these potential security vulnerabilities. It's important to note that there are no known exploits of these issues, but we've chosen to preemptively address them. Here's the types of issues we found:

  • Un-escaped Form Input - This cross site scripting vulnerability, also known as "XSS," exists when an application echos back to the browser content entered by the user verbatim, without filtering it for or escaping javascript code. This makes it possible for someone to construct a link that, if clicked upon by a user logged into Movable Type, will unknowingly execute javascript code.
  • Mixed Character Encodings - This vulnerability is another XSS variant that only affects users of older browsers like IE6. These browsers when processing text on the page are unable to distinguish between characters encoded in two different formats and thus can mistakenly interpret them. If these characters translate into javascript code, then that code will be executed.
  • Request Forgery - This vulnerability allows someone to intercept a request to an application over the wire and attempt to replay the request after modifying it some way. This makes it possible for them to perform a privileged action in your system without your knowledge.

For the most part Movable Type already protected against these vulnerabilities. What our security audit uncovered were instances in which we weren't being consistent in following best practices for security across the entire application. These issues can also affect previous versions of Movable Type, so we are also issuing updates to all versions of Movable Type going back to MT 3.36, including:

  • Movable Type 3.36, 4.01 and 4.13
  • Movable Type Enterprise 1.55
  • Movable Type Community Solution 1.51

All of this work means that we're about to release significant new security updates to all supported versions of the Movable Type platform. In order to deliver these fixes as rapidly as possible, and to support your ability to test these fixes in your own environment, we are providing test builds of Movable Type which incorporate the new security patches. These builds are provided as a temporary measure while we complete our full suite of testing and verification processes for every affected version of Movable Type. We anticipate having final versions of these releases around August 22, 2008.

To the best of our knowledge there have been no known exploits of these vulnerabilities in the wild and no customers have been affected by any of the vulnerabilities addressed by this release. Here's the Update Advisor, which summarizes the issues we found and provides a guide for updating your installation of Movable Type.

Movable Type Update Advisor: Versions 3.37, 4.01c and 4.14:

  • Release Type: Security Release. None of the fixed vulnerabilities has been exploited in the wild.
  • Mandatory? This is a mandatory update for all users of Movable Type 3.36 and later.
  • Performance Implications: None.
  • Plugins Affected: None.
  • Templates Affected: No changes in your templates are required.
  • System Requirements: This release has no new or additional system requirements.
  • Licensing considerations: None. MT 3.37, MT 4.01c and MT 4.13 are free updates for users of any version of MT3 and MT4 respectively.
  • Upgrade Fatigue: No updates are scheduled until the release of MT 4.2, which is currently in the final stages of release. There will be no further releases before MT 4.2 unless significant security issues are found which require additional 4.x releases. It has been 46 days since the last recommended update to MT4.

download-mt.gifProvisional builds are availble for downloads from movabletype.org for MTOS and Movable Type Commercial.
Back

14 Comments

demonsurfer

demonsurfer on August 8, 2008, 6:45 p.m. Reply

When I log in to my sixapart user account, the version available for download there is Movable Type 4.13 Commercial 5 Author.. is that what I should be using, or the MT-4.14-en.zip available from the download page you linked to from this entry? (no that’s not a typo - 4.13 vs 4.14). Thanks.

demonsurfer

demonsurfer on August 8, 2008, 6:49 p.m. Reply

err.. ok now I’m even more confused.. above in this post under the heading ‘Movable Type Update Advisor’ it seems to infer 4.14 is the new version in the heading, but 4.13 in the following text where is mentions ‘Licensing considerations’… meh?

Andrey Serebryakov

Andrey Serebryakov on August 9, 2008, 3:01 a.m. Reply

Maybe there is an archive with only modified files?

Su

Su on August 9, 2008, 10:02 a.m. Reply

Andrey: There isn’t. And I don’t think it’s too likely that will be done anymore. From memory, whenever security updates were released as changed files(as an option), it only resulted in a lot of confused people wondering what they were supposed to do with them. It’s just easier this way, if maybe not quite as convenient. Any diff application will give you a list of changed files quickly enough, if it’s important to you.

MikeT

MikeT on August 9, 2008, 7:46 p.m. Reply

I filed a bug report about the templates in RC 4, and apparently the bug still exists in RC 5. I replicated the bug locally through the following steps:

1) Fresh installation of RC5 on OS X with a complete nuke of the database. 2) Imported my old entries with an import file. 3) Changed from the default red, 3 column theme to unity blue with the same layout using Style Catcher.

This is before.

This is after.

I’ve had the same problem on my own blog, and am stuck using RC3 because of this.

MikeT

MikeT on August 9, 2008, 8:22 p.m. Reply

The problem seems to be specific to Firefox; Safari had no problem displaying the markup correctly.

kimonostereo

kimonostereo on August 12, 2008, 12:40 p.m. Reply

Are there change log notes for RC5? thanks!

demonsurfer

demonsurfer on August 12, 2008, 6:45 p.m. Reply

drooling here.. saw the pronet message..

demonsurfer

demonsurfer on August 12, 2008, 7:05 p.m. Reply

ah ha! it’s there on my MT account! yay thank you!

P.Hogan

P.Hogan on September 11, 2012, 1:23 a.m. Reply

This constant work on the security make MT so good to use.

Jordan Taylor

Jordan Taylor on October 25, 2012, 8:23 p.m. Reply

Hi Su. It seems easy to me. You just need to update the security files mentioned above by Byrne Reese.

Craig Murray

Craig Murray on November 14, 2012, 3:01 a.m. Reply

Hi, about “Mixed Character Encodings”. I’ve seen some text where the language is English, but the e and o letters are written on Russian so it can’t be detected from the search engines. Do you mean this problem or there is something different?

Kelly Roberts

Kelly Roberts on November 24, 2012, 8:46 p.m. Reply

I wonder how is that possible to make the same looking action in the core of Movable Type so the add by a third party content to be unnoticed by the site owner? What kind of content he is going to add to the site? Some malicious code to steal data or adding spam links?

Tammi

Tammi on November 28, 2012, 2:55 a.m. Reply

Hi, the link which should lead to “providing test builds” is broken.

Leave a Comment

Byrne Reese

Byrne Reese was previously the Product Manager of Movable Type at Six Apart, where he had also held positions as the Manager of Platform Technology and Product Manager for TypePad. Byrne is a huge supporter of the Movable Type user and developer community. He dedicates much of his time to promoting and educating people about Movable Type as well as building the tools and plugins for Movable Type that are showcased on Majordojo. He contributes regularly to open source; and he is an advocate for open protocols and standards like Atom and OpenID.

Website: http://profile.typekey.com/byrnereese