RealTime IT News

Movable Type Vulnerability Patched

Blogging giant Six Apart has released a new version of its Movable Type software and a plug-in for earlier versions, urging all users to update as soon as possible.

The new version plugs a recently discovered exploit that could allow a malicious user to send e-mail via Movable Type to any number of arbitrary users.

The vulnerability affects all versions of Movable Type all the way back to version 1.0. Six Apart's hosted blogging service Typepad is not affected.

According to Jay Allen, product manager for Movable Type at Six Apart, the vulnerability was patched as rapidly as possible.

"Yesterday at around 3:30 p.m. I got pulled out of a meeting and was told that there were spammers exploiting this hole," Allen told internetnews.com. "I came out and we had our main two engineers working to find out how the exploit was being used and where exactly it manifested itself in the code. It took them about 30 to 45 minutes to find that out."

The Movable Type vulnerability was never reported to any major security firm or reporting agencies. Allen explained that vulnerability reporting is something that Six Apart hasn't done in the past, adding that the company doesn't have a formal policy for vulnerability reporting. He did note that he would like to rectify that situation.

"We've been really open in the past with all of our bug fixes and we're very much in favor of being transparent with the process and letting people know when there is a problem and being honest about it," Allen explained. "We're a blogging company, and we don't hide things from our users."