
Security update for IntelliJ-based IDEs v2016.1 and older versions - shalupov
http://blog.jetbrains.com/blog/2016/05/11/security-update-for-intellij-based-ides-v2016-1-and-older-versions/
======
w23j
So I have just updated WebStorm. The "About" dialog now says:

    
    
      WebStorm 11.0.4
      Build #WS-143.2370, built on April 29, 2016
    

"Check for Update" tells me I have the latest version.

However the FAQ ([http://blog.jetbrains.com/blog/2016/05/11/security-update-
fo...](http://blog.jetbrains.com/blog/2016/05/11/security-update-for-intellij-
based-ides-v2016-1-and-older-versions/)) says:

    
    
      "All updates published after May 10th contain the security update."
    

Which would mean that a version built "April 29, 2016" is vulnerable?

Also the linked download page
([https://confluence.jetbrains.com/display/WI/Previous+WebStor...](https://confluence.jetbrains.com/display/WI/Previous+WebStorm+Releases))
says:

    
    
      "Latest version: WebStorm 11.0.5 (build 143.2370, May, 11 2016)"
    

That is, the version number and date are different from what I have, but the
build number is the same?!

Maybe it's too late in the day for me to think straight, but somethings wrong
here. What product versions are safe?

~~~
prigara
Sorry for the confusion. The latest update for version 11 is 11.0.4 and you're
using it now. It fixes the vulnerability. I fixed the error on the confluence
page, thanks for pointing that out.

------
toyg
If anyone on OSX has trouble launching the updated .app bundle: check the JVM
specified in info.plist (right-click on the .app -> Show Package Contents ->
Contents -> Info.plist) is 1.7* or (better, for Retina support) 1.8* . The
default 1.6* just kept crashing for me (PyCharm 3.4.4, OSX 10.11.4, way too
many Java versions installed for my own mental health).

~~~
oddx
In my Info.plist: <key>JVMVersion</key><string>1.8*,1.8+</string>, but still
kept crashing. Have to rollback to old vulnerable version.

~~~
hhariri
There is a workaround for start-up crashes

[https://intellij-support.jetbrains.com/hc/en-
us/articles/208...](https://intellij-support.jetbrains.com/hc/en-
us/articles/208516145)

Please see if that works.

------
MelmanGI
What is the built-in web server used for and how can I disable it?

~~~
hhariri
It's used for numerous things, including web development, running and
debugging, as well as other uses such as serving docs, etc. Unfortunately
right now it's not possible to disable.

------
chinathrow
If you run on not the latest version, make sure to check for updates twice in
order to see the free minor version upgrade.

------
vvanders
FYI this also covers Android Studio as well so anyone using that should
upgrade as well.

------
mavroprovato
I'm behind a firewall, doesn't this mean I'm safe?

~~~
anglebracket
No, all that's necessary to trigger it is browsing to a page containing
attacker-controlled JavaScript or Flash. The browser on your own computer
would be connecting to the server on your own computer, and firewalls tend to
only block external connections.

------
estefan
This is very disappointing from JetBrains :-/

~~~
hhariri
We're sorry.

We've done our best to address the issue, provide the fixes for current
versions as well as back-port it up to 3 years for all products running on the
platform. In any case we apologise and have learned from this and will
improve.

~~~
Azkar
I'm happy with how the issue was addressed. No one can expect perfection from
a complicated piece of software such as this. I was glad to have received the
email and find the blog post with a thorough list of FAQs.

I'm glad to see proper credit given to Jordan for finding the flaw. Maybe I'm
a cynic, but I'm glad that this was an open process and not a one line blog
post about a critical security update. Keep up the great work.

