Blogging giant Six Apart has released a new version of its Movable
Type software and a plug-in for earlier versions, urging all users to
update as soon as possible.
The new version plugs a recently discovered
exploit that could allow a malicious user to send e-mail via Movable Type
to any number of arbitrary users.
The vulnerability affects all versions of Movable Type all the way
back to version 1.0. Six Apart’s hosted blogging service Typepad is not
affected.
According to Jay Allen, product manager for Movable Type at Six Apart,
the vulnerability was patched as rapidly as possible.
“Yesterday at around 3:30 p.m. I got pulled out of a meeting and was told
that there were spammers exploiting this hole,” Allen told
internetnews.com. “I came out and we had our main two engineers
working to find out how the exploit was being used and where exactly it
manifested itself in the code. It took them about 30 to 45 minutes to find
that out.”
The Movable Type vulnerability was never reported to any major
security firm or reporting agencies. Allen explained that
vulnerability reporting is something that Six Apart hasn’t done in the
past, adding that the company doesn’t have a formal policy for vulnerability reporting.
He did note that he would like to rectify that situation.
“We’ve been really open in the past with all of our bug fixes and we’re
very much in favor of being transparent with the process and letting
people know when there is a problem and being honest about it,” Allen
explained. “We’re a blogging company, and we don’t hide things from our
users.”