Movable Type Security Update

By Byrne Reese

Today we are releasing Movable Type 4.01b and Movable Type 4.12. These are free mandatory security updates for all Movable Type 4.x users. These updates resolve a vulnerability which has not been exploited, but was reported to us by a third party on June 15 16 (correction). We have addressed the issue with these updates, and are providing new, fully-tested versions for all affected versions of Movable Type in all supported configurations. A detailed description of the vulnerability can be found below, but in short a cross-site scripting (XSS) vulnerability has been found in Movable Type's built-in search feature, which could be exploited by malicious parties to execute javascript without permission.

We have no record of a user having been affected by this vulnerability, and there are no known public exploits. The release candidates of Movable Type 4.2, currently in testing, Movable Type 3.36 and Movable Type Enterprise 1.5 are all unaffected by this issue. Here's the Update Advisor, which summarizes the issues found and provides a guide for updating your installation of Movable Type.

Movable Type Update Advisor: Version 4.01b and 4.12:

  • Release Type: Security Release. The potential vulnerability has not yet been exploited in the wild.
  • Mandatory? This is a mandatory update for all users of Movable Type 4.0 and later.
  • Performance Implications: None.
  • Plugins Affected: None.
  • Templates Affected: No changes in your templates are required.
  • System Requirements: This release has no new or additional system requirements.
  • Licensing considerations: None. MT 4.01b and MT 4.12 are free updates for users of any version of MT 4.
  • Upgrade Fatigue: No planned updates are scheduled until the release of MT4.2, which is currently in the final stages of release. There will be no further releases before MT 4.2 unless significant security issues are found which require additional 4.x releases. It has been 152 days since the last recommended update to MT4.

download-mt.gifDownloads are available in your account for current customers or through the download page.

Downloads are available through the channel where you received Movable Type: Paying users can find the update by logging in to your Movable Type account, and users of Movable Type Open Source or the free personal license can get the update from the download page.

In addition to the updates to Movable Type 4.01b and 4.12 for MT4 users, we have issued updates to the Movable Type Community Solution and Enterprise Solution. If you are on one of these platforms, you should have already been contacted by your account representative about these updates.

A Commitment to Security

We take Movable Type's security very seriously, especially as we know many of you choose Movable Type for its security track record. In addition to issuing fixes to affected versions of Movable Type, we have also amended our development and testing processes internally to help better detect these types of vulnerabilities in the future. As InformationWeek just noted, Movable Type has "a fraction of the security incidents of its peers". That means we take this update, and all security concerns extremely seriously out of commitment to you as a Movable Type user, out of our desire to uphold our reputation, and out of responsibility to the entire web to try to ensure technology platforms are as secure as possible.

Detailed Description

When conducting a tag search in Movable Type, the application is not properly escaping the optional IncludeBlogs query string parameter. As a result, one could construct an exploit whereby a user could click on a link that conducts a tag search and unbeknownst to them also execute malicious javascript code embedded by the third party. Malicious javascript code could be used to transmit sensitive information about the user's active session.

Versions Affected

Only the following versions of Movable Type are affected by this issue.

  • Movable Type 4.0, 4.01, 4.01a (Personal and Commercial)
  • Movable Type 4.1 (Open Source, Personal and Commercial)
  • Movable Type Community Solution 1.0, 1.0a
  • Movable Type Community Solution 1.5
  • Movable Type Enterprise Solution 1.0

All other versions of Movable Type, including the 4.2 release candidates, are not affected by this issue.

Applying the Fix

  • Users of Movable Type 4.0, 4.01 and 4.01a can install the updated Movable Type 4.01b, or they can replace the file lib/MT/App/ file found in their distribution with an updated version.
  • Users of Movable Type 4.1 and 4.1a can install the updated Movable Type 4.12, or they can replace the lib/MT/App/ file found in their distribution with an updated version.

Learn more about Upgrading Movable Type 4 in the MT documentation.

As always, thank you so much for choosing Movable Type and we sincerely apologize for the inconvenience of having to upgrade your software, and are committed to making such updates as infrequent as possible.