Sorry for the confusion. The latest update for version 11 is 11.0.4 and you're using it now. It fixes the vulnerability. I fixed the error on the confluence page, thanks for pointing that out.
If anyone on OSX has trouble launching the updated .app bundle: check the JVM specified in info.plist (right-click on the .app -> Show Package Contents -> Contents -> Info.plist) is 1.7* or (better, for Retina support) 1.8* . The default 1.6* just kept crashing for me (PyCharm 3.4.4, OSX 10.11.4, way too many Java versions installed for my own mental health).
It's used for numerous things, including web development, running and debugging, as well as other uses such as serving docs, etc. Unfortunately right now it's not possible to disable.
No, all that's necessary to trigger it is browsing to a page containing attacker-controlled JavaScript or Flash. The browser on your own computer would be connecting to the server on your own computer, and firewalls tend to only block external connections.
We've done our best to address the issue, provide the fixes for current versions as well as back-port it up to 3 years for all products running on the platform. In any case we apologise and have learned from this and will improve.
I'm happy with how the issue was addressed. No one can expect perfection from a complicated piece of software such as this. I was glad to have received the email and find the blog post with a thorough list of FAQs.
I'm glad to see proper credit given to Jordan for finding the flaw. Maybe I'm a cynic, but I'm glad that this was an open process and not a one line blog post about a critical security update. Keep up the great work.
It would be interesting to see the lessons learned. I do plain old IntelliJ development without any web stuff at the moment, so it was a surprise to learn that things were being exposed to the web.
To JetBrains' credit they were very responsive throughout the disclosure process. I received a reply to my initial report in under two hours. Generally response times are measured in days unless you know someone in the company.
They also gave me diffs against intellij-community master so I could verify their fixes were sound, and they were generally receptive to my feedback.
While the bug is a downer, I was impressed with how they responded to it, especially the fact that they simultaneously released patch updates for all products (including Android Studio) and for all relevant prior versions. The email I got made the severity clear and I was able to easily update WebStorm, PyCharm, and Android Studio without any problems.
Updating has been painless, their communication was open and direct, and there aren't (to my knowledge) any exploits in the wild. How is this a failing on their part? Do you expect 100% perfection?
However the FAQ (http://blog.jetbrains.com/blog/2016/05/11/security-update-fo...) says:
Which would mean that a version built "April 29, 2016" is vulnerable?Also the linked download page (https://confluence.jetbrains.com/display/WI/Previous+WebStor...) says:
That is, the version number and date are different from what I have, but the build number is the same?!Maybe it's too late in the day for me to think straight, but somethings wrong here. What product versions are safe?