making bbPress (and WordPress) work better!

Movabletype doesn’t report security issues

Every so often I come across a comment on the web about how Movabletype “doesn’t have the security issues” that WordPress does, which really annoys me. No one likes bugs but to be misinformed about security is wrong.

The reality is this couldn’t be further from the truth – Movabletype has had at least three security issues this year but Movabletype is to blame for hiding/lying about the situation with no vulnerability reports and leaving people in the dark until they have a fix. So which is worse, warning people ahead of time there’s a vulnerability and not being petty about how it will make you look – or just not telling the users while the hackers already know how to exploit the problem?

Essentially no one researches Movabletype security vulnerabilities anymore – perhaps the user base has become too small, perhaps hackers aren’t even bothering because they can’t find sites using it worth hacking.

Want proof? It’s simple. Go to any site that tracks security vulnerability announcements. Here’s an example, securnia:

http://secunia.com/product/SOFT_M/#list
Find Movabletype 4 in the list. Oh wait – you CAN’T.
You can find 3.x but not 4.x

So movabletype reports itself as having no security issues for 4.x
BUT, that’s a LIE. Here are three security update announcements:

http://www.movabletype.com/blog/2007/09/movable-type-401-get-updated.html
http://www.movabletype.com/blog/2008/01/movable-type-security-update.html
http://www.movabletype.com/blog/2008/06/mt-security-update.html

So just like Microsoft, Movabletype doesn’t officially acknowledge security issues until they have a fix. Therefore it doesn’t get a security advisory and they keep their security stats low (or non-existent). Very sneaky.

2 responses

  1. Pingback: Security and Hacking: The State of WordPress Blogs | The Blog Herald

  2. So just like Microsoft, Movabletype doesn’t officially acknowledge security issues until they have a fix. Therefore it doesn’t get a security advisory and they keep their security stats low (or non-existent).

    How do you figure? If they release an advisory after the fix, it’s still going to result in the same total it would if they had announced the vuln before having a fix. The only way to “keep stats low” (or non-existent) would be to hide some of them (or all of them) permenantly, which you have no proof of.

    This seems more like an objection to holding back advisories until after the fix, rather than the systematic under reporting of flaws.

    And FYI, even though this post is half a year hold, Secunia does have a Movable Type 4.x category today and the NIST database has vulnerabilities dating back to 2003, with 3 already reported for the first month of 2009.

    January 17, 2009 at 4:12 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 45 other followers