Movabletype doesn’t report security issues
Every so often I come across a comment on the web about how Movabletype “doesn’t have the security issues” that WordPress does, which really annoys me. No one likes bugs but to be misinformed about security is wrong.
The reality is this couldn’t be further from the truth – Movabletype has had at least three security issues this year but Movabletype is to blame for hiding/lying about the situation with no vulnerability reports and leaving people in the dark until they have a fix. So which is worse, warning people ahead of time there’s a vulnerability and not being petty about how it will make you look – or just not telling the users while the hackers already know how to exploit the problem?
Essentially no one researches Movabletype security vulnerabilities anymore – perhaps the user base has become too small, perhaps hackers aren’t even bothering because they can’t find sites using it worth hacking.
Want proof? It’s simple. Go to any site that tracks security vulnerability announcements. Here’s an example, securnia:
Find Movabletype 4 in the list. Oh wait – you CAN’T.
You can find 3.x but not 4.x
So movabletype reports itself as having no security issues for 4.x
BUT, that’s a LIE. Here are three security update announcements:
So just like Microsoft, Movabletype doesn’t officially acknowledge security issues until they have a fix. Therefore it doesn’t get a security advisory and they keep their security stats low (or non-existent). Very sneaky.