Flash News of the Week—Adobe Promises to Patch Vulnerability of Photoshop, Illustrator and Flash Pro
After a complaint from outraged users and security experts alike, Adobe has changed direction and promised to provide free patches for older versions of Photoshop, Illustrator, and Flash Professional to close eight critical vulnerabilities. The company didn’t specify when the free updates would be available for users.
Adobe will fix vulnerabilities in Flash Professional CS5.5, Photoshop CS5, and Illustrator, according to an email from its spokesperson sent late in the evening on May 11. The announcement came after users and security experts lambasted the company for telling customers to upgrade to the latest CS6 editions in order to close serious security flaws in the software.
“We are in the process of resolving the vulnerabilities addressed in these security bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x and Adobe Flash Professional CS5.x, and will update the respective security bulletins once the patches are available,” wrote David Lenoe, head of Adobe’s Product Security Incident Response Team.
The company had warned users of eight serious vulnerabilities in those three applications as part of its Patch Tuesday update on May 8. An attacker could possibly take remote control of a computer by exploiting the vulnerability in Photoshop via a maliciously crafted .TIF image file. Adobe originally told users that the latest CS6 versions, released in April, fixed the issues and users should upgrade.
The upgrade versions come with a steep price tag, ranging from $99 for Flash Professional to $249 for Illustrator. Customers upgrading to CS6 Design & Web Premium, which has the latest CS6 version of Flash Professional, Photoshop and Illustrator, would have to shell out $375.
Considering CS5 was launched in 2010 and CS5.5 in 2011, requiring users to make another pricey investment to upgrade within two years outraged customers.
“So it looks like Adobe is going to patch Photoshop CS5 after all. Maybe they listened to all the mad people?” Andrew Storms, director of security operations at nCircle, wrote on Twitter.
Low Risk of Attack
Adobe originally claimed it wouldn’t release a free patch for these applications because historically, attackers have not attacked Photoshop, Flash Professional, or Illustrator. The risk wasn’t big enough to make a free patch worthwhile. Users who didn’t upgrade to CS6 should “follow security best practices and exercise caution when opening files from unknown or trusted sources,” the company said.
It seems a little disingenuous to assume attackers won’t attack a vulnerability because they haven’t done so before. In fact, a proof of concept exploit code appears to already exist for the Photoshop flaw.
“Adobe customers who feel nervous opening .TIF files will judge the level of risk for themselves, and prefer to seek alternatives from companies that take better care of their users,” Graham Cluley, senior technology consultant at Sophos, wrote on Naked Security.