Movable Type Update Advisor: Version 4.24
- Release Type: Security Release. This update fixes a serious potential vulnerability which has not yet been exploited in the wild.
- Mandatory? Yes, this is a mandatory security upgrade.
- Performance Implications: None.
- Plugins Affected: None. Your current plugins should continue to work as expected.
- Templates Affected: None.
- System Requirements: This release has no new or additional system requirements.
- Licensing considerations: None. MT 4.24 is a free update for users of any version of MT 4.x.
- Upgrade Fatigue: No further mandatory updates are planned for Movable Type 4.2.
Downloads are available in your account for current customers or through the download page.
Enterprise customers and clients of Six Apart Services should already have received full details on this update from your account representative.
While MT 4.24 is primarily a security fix release, because we had to update some related code, we have also included one of the most-requested features for Movable Type 4.2's community features: Better password recovery.
The old password recovery system for MT required users to remember a password recovery hint which, put simply, was often confusing and ineffective. Instead. with MT 4.24, Movable Type communities now automatically get a standard password recovery system that emails a password reset link to the email address that a user has on file.
We have updated the Movable Type documentation with full instructions on how to reset your password if needed, and upgrading to this new version should automatically enable the new feature with no effort required on your part.
Movable Type Update Advisor: Version 4.23
- Release Type: Security Release. This update fixes a potential vulnerability which has not yet been exploited in the wild.
- Mandatory? Yes, this is a mandatory security upgrade.
- Performance Implications: None.
- Plugins Affected: None. Your current plugins should continue to work as expected.
- Templates Affected: An update to the profile view template is required for those customers who use the community template sets and user profile feature.
- System Requirements: This release has no new or additional system requirements.
- Licensing considerations: None. MT 4.23 is a free update for users of any version of MT 4.x.
- Upgrade Fatigue: No further mandatory updates are planned for Movable Type in 2008.
Downloads are available in your account for current customers or through the download page.
[Editor's Note: There was no Movable Type 4.22. It's a long story. But you didn't miss anything, don't worry!]
- We partnered with JumpBox, the innovators in creating virtual appliances that work everywhere you'd want to deploy an application, from VMWare to Xen, Parallels to Virtual Iron to Microsoft Virtualization, on Windows and Linux and Mac OS. The JumpBox folks make it possible to put Virtual Movable Type anywhere you want to test, develop, or deploy it, and they provide a simple setup experience to get you running quickly.
- Six Apart Services contributed mightily to this release, partnering with the core Movable Type team to build in the expertise they've developed from creating, launching, and supporting some of the biggest publishers on the web.
- Finally, and most importantly, we listened to our Movable Type community. Enterprise admins told us that you're concerned about server utilization and power costs, and that virtualization is a part of nearly every platform strategy going forward. Developers told us you want a simple, reliable standardized configuration to develop and test your work against. And everybody in the whole freaking blogosphere told us you wish you could try out Movable Type with just a few clicks. So now you can!
Today, we're releasing the latest update to Movable Type, version 4.2, and along with it we're announcing the launch of Movable Type Pro, a profoundly powerful new set of capabilities that shows the web where blogging is going next.
So, what's new in this release?
- Movable Type Pro lets you turn any site into a full social publishing platform, combining all of Movable Type's abilities as a blogging and CMS with social networking features like profiles, ratings, user registration, forums, following, and more.
- The platform upgrade to Movable Type 4.2 fulfills the top three requests made by our community -- it's up to 100 times faster for common tasks, features much simpler templates for customizing your site, and includes 100% free and open source TypePad AntiSpam for keeping junk comments off your site.
- Movable Type Pro includes all of the features in the Movable Type Community Solution and more, giving you all the power of this enormously successful social networking platform. And if you're a personal blogger or have a current MT license, Movable Type Pro is a free update.
- Movable Type remains the most secure publishing platform of its kind. As part of developing these new versions, we completed the most intensive proactive search for security issues in the history of the platform.
First, we set publishing free. Next up, social networks.
These announcements are a milestone for the entire Movable Type community, but they represent a vision that we've been building for years. Almost seven years ago, when Movable Type was first being created, the power of publishing on the web was still largely in the hands of a few giant media companies. In the years since, thanks in no small part to the community of bloggers who got started with Movable Type, that power has been unleashed, making it possible for anyone to publish with all the professionalism and presence of a giant media corporation by using easy-to-use, open tools.
Today, we're bringing the same idea to social networking. Providing social features to your community doesn't mean you have to give up control of your community to a giant media entity. Managing a community online is something you can do yourself, using easy-to-use, open tools.
Enough theory -- here's the features in MT Pro:
- Everyone's invited. You can easily add full-featured forums, community blogs and group blogs to your site, and since Movable Type has always managed an unlimited number of blogs in one interface, you can keep track of all those conversations using a single set of tools.
- Membership. It's easy to allow anyone on the web to register on your site, or to sign in with MT's industry-leading OpenID support. Once they're in, your site's members get full-fledged customizable profiles, personalized user pictures (avatars), and can follow their friends or other site members they're interested in.
- Call it "UGC", if you must. Any member of your community can, with appropriate permissions, submit content for publishing on your site. Administrators have full ability to review submissions, and submitted posts show up on user profiles right next to their comments and other activity. Whether you call it "user-generated content" or just "a good idea", it's built right in.
- Ratings and Recommendations. Any registered user on your site can vote for content they like, making it easy to create "most popular" or "most recommended" lists on your site. You can even create your own voting communities within your site -- think "Digg in a box".
And all of those features are on top of the amazing new powers of MT 4.2:
- It's fast. MT's smart caching only publishes the parts of the page that change, and the core engine's been radically revamped to make it more efficient. The result? Using your current templates, publishing can be two to three times faster, right out of the box. Some testers have seen results with publishing up to ten times as fast or more.
- Templates are super simple. MT has always been designed so you don't need a ton of plugins to do fancy things with your site's design. But with all that power, our community told us that we also needed to make sure templates were still easy to understand. So in MT 4.2, templates are vastly simplified, and easier than ever to customize. And live template previews even let you see design changes before they're published on your site.
- 100% Free AntiSpam. TypePad AntiSpam is the best comment spam prevention service on the web. And it's 100% free no matter how many comments you get, plus it's open source and Akismet API compatible so it's easy to hook up to your site. With MT 4.2, it's also built right in to Movable Type.
- Even better APIs. OpenID suppport, OAuth libraries, and the ability to add in plugins to connect with the iPhone, Action Streams and more are all built right in. And all of your MT4 plugins should keep working just fine with this update, or have been updated to work even better in 4.2.
- Plus all the power of MT4. A powerful built-in asset management system. Integrated widget management. The smartest template editor around. The ability, as always, to manage an unlimited number of blogs and authors all in one place. Industry-leading support for new technologies and features. And an absolutely unparalleled community of passionate developers, designers, bloggers, and experts.
Get Started
So, with the release of version 4.2, it's time to get started with Movable Type Pro. The web sites you're running today can blossom into a full-fledged communities, connected and communicating with the rest of the web. Your existing blogs can zip many times faster than they do today. And your community can help shape the next evolution of social publishing on the web.
Today we are releasing Movable Type 4.01b and Movable Type 4.12. These are free mandatory security updates for all Movable Type 4.x users. These updates resolve a vulnerability which has not been exploited, but was reported to us by a third party on June 15 16 (correction). We have addressed the issue with these updates, and are providing new, fully-tested versions for all affected versions of Movable Type in all supported configurations. A detailed description of the vulnerability can be found below, but in short a cross-site scripting (XSS) vulnerability has been found in Movable Type's built-in search feature, which could be exploited by malicious parties to execute javascript without permission.
We have no record of a user having been affected by this vulnerability, and there are no known public exploits. The release candidates of Movable Type 4.2, currently in testing, Movable Type 3.36 and Movable Type Enterprise 1.5 are all unaffected by this issue. Here's the Update Advisor, which summarizes the issues found and provides a guide for updating your installation of Movable Type.
Movable Type Update Advisor: Version 4.01b and 4.12:
- Release Type: Security Release. The potential vulnerability has not yet been exploited in the wild.
- Mandatory? This is a mandatory update for all users of Movable Type 4.0 and later.
- Performance Implications: None.
- Plugins Affected: None.
- Templates Affected: No changes in your templates are required.
- System Requirements: This release has no new or additional system requirements.
- Licensing considerations: None. MT 4.01b and MT 4.12 are free updates for users of any version of MT 4.
- Upgrade Fatigue: No planned updates are scheduled until the release of MT4.2, which is currently in the final stages of release. There will be no further releases before MT 4.2 unless significant security issues are found which require additional 4.x releases. It has been 152 days since the last recommended update to MT4.
Downloads are available in your account for current customers or through the download page.
Downloads are available through the channel where you received Movable Type: Paying users can find the update by logging in to your Movable Type account, and users of Movable Type Open Source or the free personal license can get the update from the download page.
In addition to the updates to Movable Type 4.01b and 4.12 for MT4 users, we have issued updates to the Movable Type Community Solution and Enterprise Solution. If you are on one of these platforms, you should have already been contacted by your account representative about these updates.
A Commitment to Security
We take Movable Type's security very seriously, especially as we know many of you choose Movable Type for its security track record. In addition to issuing fixes to affected versions of Movable Type, we have also amended our development and testing processes internally to help better detect these types of vulnerabilities in the future. As InformationWeek just noted, Movable Type has "a fraction of the security incidents of its peers". That means we take this update, and all security concerns extremely seriously out of commitment to you as a Movable Type user, out of our desire to uphold our reputation, and out of responsibility to the entire web to try to ensure technology platforms are as secure as possible.
Detailed Description
When conducting a tag search in Movable Type, the application is not properly escaping the optional IncludeBlogs query string parameter. As a result, one could construct an exploit whereby a user could click on a link that conducts a tag search and unbeknownst to them also execute malicious javascript code embedded by the third party. Malicious javascript code could be used to transmit sensitive information about the user's active session.
Versions Affected
Only the following versions of Movable Type are affected by this issue.
- Movable Type 4.0, 4.01, 4.01a (Personal and Commercial)
- Movable Type 4.1 (Open Source, Personal and Commercial)
- Movable Type Community Solution 1.0, 1.0a
- Movable Type Community Solution 1.5
- Movable Type Enterprise Solution 1.0
All other versions of Movable Type, including the 4.2 release candidates, are not affected by this issue.
Applying the Fix
- Users of Movable Type 4.0, 4.01 and 4.01a can install the updated Movable Type 4.01b, or they can replace the file
lib/MT/App/Search.pmfile found in their distribution with an updated version. - Users of Movable Type 4.1 and 4.1a can install the updated Movable Type 4.12, or they can replace the
lib/MT/App/Search.pmfile found in their distribution with an updated version.
Learn more about Upgrading Movable Type 4 in the MT documentation.
As always, thank you so much for choosing Movable Type and we sincerely apologize for the inconvenience of having to upgrade your software, and are committed to making such updates as infrequent as possible.
20x200: When Art Meets Commerce, An Industry Shifts
Here at Six Apart, we've always had one foot in the world of design and the other in technology, so it seems logical to us that a robust content management system like Movable Type can be used to create something beautiful - something that looks, well, nothing like a blog.
For those in an industry that prides itself on aesthetics and has long withstood digital innovation, that can be hard to imagine. Of the few industries that have resisted taking part in new media, none is more glamorous than Art. Long the province of whitewalled galleries and mysterious pricing schemes, art has historically been accessible only to a privileged few.
In January 2007, when gallery owner and entrepreneur Jen Bekman had her middle-of-the night revelation that the Internet was a perfect vehicle for making art available to everyone, she was instrumental in ushering the art market into the digital age. Jen named the venture 20x200, and devised the following formula: each week, she would offer two limited-edition prints - an edition of 200 for $20, an edition of 20 for $200, and an edition of 2 for $2,000. The entire business would be conducted online.
To build out the 20x200 site, Jen enlisted the help of photographer and web consultant Raul Gutierrez. Both Jen and Raul had extensive backgrounds in technology; Jen's career included leadership roles and Netscape and Disney, while Raul, himself an accomplished photographer, had built and produced a number of successful websites.
When they decided to use Movable Type to build out the site, they agreed on one thing: it couldn't look like a blog. The entire 20x200 site was built in Movable Type, using multiple custom plug-ins and integrating Google Checkout to make buying simple. Every Tuesday and Wednesday, Jen sends a newsletter to the 20x200 mailing list, in which she announces that day's edition and discusses its context and relevancy within the art world. The newsletter acts not only as a sales tool, but also as a rich source of information for new and seasoned collectors alike.
The newsletter contains links that lead to the page on the 20x200 site where the edition is displayed. Next to each edition sits a real-time inventory number, indicating how many pieces remain.
Movable Type demonstrates its abilities as a flexible, powerful CMS, allowing 20x200 to easily manage their growing catalogue of artwork. The site uses many custom fields to enable administrators to enter data for each edition quickly and simply; fields such as artist name, artist statement and website URL are consistent across each entry, so that visitors to the site can browse artists and find facts with ease.
Less than a year after 20x200 launched, the site has been an unqualified success: over 14,000 prints have been sold to date, to a customer list that includes artists, celebrities and respected collectors from around the world. The site has become an important corollary to Jen's New York gallery, and a vital part of her ongoing mission to champion emerging artists.
When we talk about Movable Type, we often say: "you imagine it, we enable it" and 20x200 demonstrates that maxim - dare we say - artfully.
If you follow blogging news, you've undoubtedly heard a lot of concern recently about blogs on other platforms being hacked or blocked from search engines. Good news: Movable Type has a proven track record of having excellent security and an established reputation for fixing any known issues quickly. And that history of security is by design. We think there are some key things our community needs to know:
- We believe in making Movable Type secure out of our obligation to making the web better: Insecure web software can be a vector for spreading spam, viruses, and malware.
- Movable Type has the best security track record of any popular installable blogging software, according to the U.S. Department of Homeland Security's own reports.
- Movable Type security updates are prominently publicized on our Movable Type homepage, and through the application itself. Our team proactively contacts Enterprise and Community Solution customers if a security issue has been raised.
- Movable Type's security record is getting better, while other platforms are getting worse and seeing increasing numbers of reported vulnerabilities.
- When any issues have been found with Movable Type, they've typically been discovered through our own routine security audits, and fixed without ever having been exploited in the wild.
These facts show that Movable Type has a significantly different history than other platforms. But more importantly, they show that we're attuned to the concerns of the publishers and bloggers who rely on Movable Type to build their businesses and make a living.
We're not saying our track record is perfect. But take a minute and review our last security update in January. We listed our history of issues ("It has been 116 days since the last recommended update to MT4 and 273 days since the last recommended update to MT3.") and we mentioned whether applying the security fix would affect templates, plugins or performance. (No, no and no.) There are dozens of reasons to upgrade to MT4, from unique reporting and management features to powerful community capabilities. But above all, you shouldn't have to worry that sharing your ideas with the world or wanting to publish for a passionate community means putting your site, and your reputation, at risk.
The Bottom Line
While we're proud of our work, and especially proud of our community's focus on security, you don't have to take our word for it: Look at the data provided by a neutral third party. In this case, it's the U.S. Department of Homeland Security's own National Vulnerability Database. We searched the vulnerability database since 2005 for Movable Type and for WordPress, and included the partial reports for this year. In the chart, a lower bar is better. The results speak for themselves:

We think it's inarguable that there's a dramatic difference in the security of these platforms. And, as we've demonstrated for nearly seven years, we're working every day to maintain Movable Type's excellent record of security.
SixApart is a leading company in the field of social graph experimentation and the most outspoken participating company willing to be critical of some of Google's efforts like OpenSocial. BlogIt is interesting beyond its basic functionality because it can tie together confirmed accounts on Facebook, outside blogs and Twitter - then place that information in the hands of a company dedicating significant time and resources to leveraging such information in the interests of users. BlogIt may be just a beachhead landed in the hostile territory not of Facebook, but of online identity chaos in general.
There's a very small club of people who've been blogging for ten
years; We talked to a number of these experts last year to celebrate
Dave Winer's 10th anniversary as a blogger, with more posts discussing Leslie Harpold, Michael Sippey and Harold Check. Today, another respected member of the blogging community joins that esteemed club, and we're thrilled to congratulate Jason Kottke on ten years of blogging.