MT v3.15 (Critical Security Update) released

| 3 Comments | 1 TrackBack

From the Movable Type web site:

Version 3.15 fixes a vulnerability in the mail sending packages for all Movable Type versions which allows malicious users to send email through the application to any number of arbitrary users.

All users should install this update.

This release fixes a nasty bug where a malicious user can (among other things) post a comment to an MT weblog and cause comment notification e-mails to be sent to any number of recipients they choose.

As noted above, the bug is present in all versions of MT - all 3.x as well as 2.x versions. To secure your MT installation, you can either 1) upgrade to MT v3.15, or 2) install the newly-released plugin (patch-20050124-mail-spam.pl). The plugin will correct the vulnerability in MT 3.x installations prior to MT v3.15 as well as MT 2.661 (the plugin has not been tested on MT 2.x versions other than MT 2.661).

Spammers are already exploiting this flaw on MT weblogs, so it is very important to upgrade to MT v3.15 or install the new plugin as soon as possible.

Special thanks to Six Apart for their quick action on this issue. Total time from reporting of flaw to release of fix: 48 hours. (I know this because I reported the flaw.) Considering the flaw was reported on a Saturday night, this was an excellent response by the Six Apart team!

Update 26 Jan 2005: Total Choice Hosting (TCH) installed the plugin yesterday on all MT installations across all TCH servers to proactively protect their customers.

1 TrackBack

Saiu o MT 3.15. Download&Update: Version 3.15 fixes a vulnerability in the mail sending packages for all Movable Type versions which allows malicious users to send email through the application to any number of arbitrary users. All users should install... Read More

3 Comments

It seems that they've left out the instructions to upgrade 3.14 to 3.15? There's no instruction on how to do that. I've just downloaded the upgrade, and uploaded the whole thing to my MT installation. That seems to do the trick alreadyl, with my log in page showing the I have 3.15 installed. Is there something that I should be doing besides uploading all the files? I've also deleted all the mt-upgradexx.cgi files too...

Basically you just need to follow the MT Upgrading Instructions (which it sounds like you've already done). You do not need to do anything (such as running any upgrade scripts) after uploading the new MT 3.15 files to your server when upgrading from MT 3.14.

What's crazy is that from the time my engineers and I found out about the problem to the time we released, only about 4.5 hours had elapsed. That includes investigation, fixing, creating the plugin, testing, communicating with our European and Japanese subsidieries and coordinating a release, writing up messaging and then releasing.

Had it not been found on a Saturday, the total response time from the reporting of the bug would have been about that much time. Sadly, it was just one of a couple hundred emails in my inbox.

Thanks so much for reporting it, David. Even if I didn't find out about your report until afterwards. (My fault, not yours).

About this Entry

This page contains a single entry by TweezerMan published on January 24, 2005 9:39 PM.

Earthlink lowers price for DSL and increases speed of DSL service was the previous entry in this blog.

SF Chronicle now publishing RSS feeds is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Powered by Movable Type 6.1.2

MT-Vampire plugin

web hosting by TotalChoice Hosting

Valid XHTML 1.0!
Valid CSS!