Jump to content

Movable Type V3.15


TweezerMan
 Share

Recommended Posts

Movable Type 3.15 Released

 

Version 3.15 fixes a vulnerability in the mail sending packages for all Movable Type versions which allows malicious users to send email through the application to any number of arbitrary users.

 

All users should install this update.

The fix has also been made available as a plugin that is compatible with 2.661 and higher, so please take advantage of this ASAP to protect your installation.

 

(from MT Forums)

Link to comment
Share on other sites

I went to install this plugin just now only to find that someone had already installed it on all my installations across 3 different servers.

 

If this was a security measure by TCH, I'd have appreciated an email to let me know. It's very disconcerting to go into my folders and find things there that I didn't upload.

 

Honestly, I'm feeling a little violated right now.

Link to comment
Share on other sites

We just completed pushing a file to all MT installations. This was done on all servers. This was in direct response to many users MT installs being exploited by hackers.

 

If you feel violated that we pushed a plugin into your MT install I am very sorry. Imagine how we have felt the past three days seeing MT being attacked and there was nothing that could be done. Furthermore, imagine how all the users not running MT on your server would have felt when your install was compromised and the server sent out 100 million emails causing high loads, down time and IP blacklisting.

 

TCH made the right choice. I am sure you want a secure, safe and reliable server. It seems we can never please all of the people all of the time. This is a risk I am willing to take to insure server security and reliability.

 

A e-mail is being dispatched to all our clients, however, we patched our servers before the e-mail went out. This is sometimes done during rushed patch installs.

 

Bill

Link to comment
Share on other sites

Sorry for the late update, today has been a busy day.

 

This e-mail was sent to all clients of TCH.

 

--------------------------------

 

Hello,

 

Late last night the makers of Movable Type announced that a vulnerability existed in all versions of Movable Type. Movable Type is a software that is not supplied by TotalChoice, however it is very popular with our client base. If you are not using Movable Type, please ignore this email.

 

This exploit in all versions of Movable Type allowed a malicious user to exploit the e-mail functions of Movable Type and send unlimited spam e-mail from the targeted site.

 

We noticed certain Movable Type sites several days ago start sending massive amounts of e-mail and caused several of our servers to crash. At that time we were not aware of the exploits.

 

Once we were informed of the exploits and were given access to a plug-in that would stop the attacks we immediately pushed out a file to all of the users Movable Type directories.

 

This e-mail is only a notice that a new plugin exists in your Movable Type installation.

 

We urge you to upgrade your Movable Type Installation to the most current and up to date version. 3.15

 

Thank you for you continued support.

 

TotalChoice Hosting

Link to comment
Share on other sites

Yes, this vulnerability in MT was already being exploited. The exploits were what led to the vulnerability being discovered.

 

Last Saturday, on Jay Allens's MT-Blacklist forum, a user reported that their mt-comments.cgi script was hi-jacked to send e-mail spam.

 

TextDrive shut down all mt-comments.cgi scripts on their servers due to spammers attacking this vulnerability.

 

I was not aware that any MT sites hosted by TCH were being exploited, but it does not surprise me that there were.

 

The exact nature of the vulnerability is that a mailcious user can (among other things) post a comment to an MT weblog and cause comment notification e-mails to be sent to any number of recipients they choose. To exploit this hole, notifications MUST be turned on and hence the user should notice.

 

Let's say my install was exploited. Would there be any tell tale signs in my logs? What would I be looking for?

There would be no sign at all in your logs. The sign that your MT install was being exploited would be in your comment notification e-mails. You should see extra e-mail headers (such as BCC:) and extra e-mail addresses after the commenter's "Email Address:" listed in the notification.

Link to comment
Share on other sites

Thanks for the welcome, Don and Bruce! :dance:

 

If you feel violated that we pushed a plugin into your MT install I am very sorry. Imagine how we have felt the past three days seeing MT being attacked and there was nothing that could be done. Furthermore, imagine how all the users not running MT on your server would have felt when your install was compromised and the server sent out 100 million emails causing high loads, down time and IP blacklisting.

 

TCH made the right choice. I am sure you want a secure, safe and reliable server. It seems we can never please all of the people all of the time. This is a risk I am willing to take to insure server security and reliability.

It's not an easy decision to push files on users' installations, but I think TCH made the right decison too. By making the fix into a plugin that worked on both MT 2.x and 3.x installations, Six Apart made it very easy for TCH to fix all MT installations in one shot instead of waiting for each user to find out about the vulnerability and waiting for them to eventually fix it themselves (if they ever did).

Link to comment
Share on other sites

TCH made the right choice. I am sure you want a secure, safe and reliable server. It seems we can never please all of the people all of the time. This is a risk I am willing to take to insure server security and reliability.

It's not an easy decision to push files on users' installations, but I think TCH made the right decison too. By making the fix into a plugin that worked on both MT 2.x and 3.x installations, Six Apart made it very easy for TCH to fix all MT installations in one shot instead of waiting for each user to find out about the vulnerability and waiting for them to eventually fix it themselves (if they ever did).

 

I definitely think it was the right decision. All I was saying is that I went into my plugin folder to do something else, saw an unknown file in there with "mail spam" in the title and immediately deleted it because I thought I was being attacked by some weird spammer worm or something. :eek: I spent a terrified hour thinking either my software had grown a mind of its own or someone had hacked all my accounts, and by the time I came in here and realized what was going on I was majorly freaked out. :dance: Just a bizarre coincidence that I happened to FTP up there right after the thing got installed. :oops:

 

So let me apologize again to everyone at TCH - I've never had a host that cared enough about their customers to take the initiative and make sure everyone's stuff was safe. I should know better having been here over six month now, but I guess years of bad hosting experiences can make you a little twitchy. :)

 

You guys really do rock and I appreciate it. :dance:

 

-Iki

Link to comment
Share on other sites

  • 2 weeks later...
I didn't receive that email.  I did get one on the 2/5/2005 requesting that I upgrade, but nothing saying that any files had been uploaded.

 

Yeah, I was a little surprised by the email, very impersonal (which is unusual from TCH) and very vague. "several older versions of the various blog software" and "all accounts using blogging software" and "make these upgrades immediately to avoid suspension of services. ;) " Now I'm worried. :) I have MT3.14, but TCH staff have patched it so I'm good to go, right? Or am I still required to upgrade to 3.15? :P

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...