Today we are releasing a mandatory security update for all Movable Type users, to address a potential security issue which has been reported by a third party. A detailed description of the vulnerability can be found later in this post, but to summarize: In affected versions of Movable Type, there are certain circumstances in which a blog template may be rendered dynamically via CGI in an otherwise static publishing context. If you use Movable Type to publish PHP files (or JSP or ASP pages) and have embedded within your Movable Type templates sensitive information (such as database connection information), then that sensitive information could potentially be exposed and viewed publicly.
There is no record of a customer having been affected by this vulnerability. Here's the Update Advisor, a simple scorecard to let you evaluate this new release.
In addition to the updates to Movable Type 4.01a for MT4 users and Movable Type 3.36 for MT3 users, we have issued updates to Movable Type Enterprise and to the Movable Type Community Solution and Enterprise Solution. If you are on one of these platforms, you should be contacted by your account representative about these updates shortly.
We also recognize that many Movable Type users are still running version 3.2. If you are running version 3.2, you can download a Comments.pm. Please note that this patch is only intended for use with Movable Type version 3.2.
While we routinely perform security evaluations and do regular testing of Movable Type, and strive to make Movable Type as secure and reliable as possible, we sometimes have to release these updates in order to address issues found outside the course of our scheduled testing and release process. We sincerely apologize for the inconvenience of having to update your software.