Attention bloggers! If you have a blog that runs Movable Type software there is a critical update that you need to install immediately.
Today we released a mandatory security update for Movable Type and Movable Type Enterprise to resolve a number of cross-site scripting vulnerabilities. To make updating your system easier, we are providing patch distributions for Movable Type versions 3.32 and Movable Type 3.2 containing only the files which have changed.
As one of the first to report this issue (which Movable Type maker Six Apart was already working to resolve), I can assure you of its seriousness. Six Apart has asked that I (and others) sit on the details of the vulnerabilities for a few days until their customers have a chance to apply the patch or upgrade. It’s important to note that versions prior to version 3.2 are, in certain instances, vulnerable and upgrading to the latest version is strongly recommended.
Thanks for the heads up! I’m running MT 3.2 for my blogs presently, and was blissfully unaware of the impending doom.
The patch installs pretty easily, even though there are no instructions with it …
Well … make that 3.33 now.
One of the things I absolutely love about Movabletype is how simple upgrades and installs are. I had my 3.21 upgraded to 3.33 in about 15 minutes including downloading the tarball, reading the changelog and upgrade guide, to finishing the upgrade.
Now I’m off to play with the widgets.
I’m still on MT 2.661; I’m worried that upgrading from 2.661 to 3.33 will be a weekend-long task, and I’ll have to cancel other planned activities.