Feeds

Adobe backs down, patches critical Photoshop CS5 hole

Paid upgrade fix row leaves a nasty taste

Beginner's guide to SSL certificates

Adobe backed down on Friday and promised to release a fix for earlier versions of its Photoshop software after previously insisting users who wanted to safeguard themselves from a critical security vulnerability had to pay for an upgrade.

A security flaw in Adobe Photoshop version CS5 and earlier means users could be exposed to malware providing they were tricked into opening a boobytrapped .TIF file. Adobe's initial response to the discovery of the flaw was an issue an advisory pointing out that users of the latest Adobe Photoshop version CS6 were immune to the cross-platform flaw. The software giant initially declined the issue a security patch for earlier versions of the software on the dubious grounds that because Photoshop "has historically not been a target for attackers", the risk level was supposedly low.

This view was mistaken for several reasons, including the plausibility of possible exploits and the fact that Adobe applications, in general, have become a prime target for hackers over the last two or three years.

Instead of offering a security patch, Adobe initially advised users of earlier versions of Photoshop to "exercise caution" over what files they open with their applications. If that wasn't good enough then an upgrade to Adobe Photoshop CS6 would do the trick, at a cost of $199 (£124) or more. Adobe Photoshop CS6 was only released in early May 2012, just days before the security issue with earlier versions of the product became public knowledge.

Photoshop version CS5.5, released last year, doesn't need to be patched.

Adobe Photoshop version CS5 is around two years old and certainly not a discontinued product. The widely used application remains on sale through various channels.

Adobe Illustrator CS5.5 and earlier, and Adobe Flash Professional CS5.5 (11.5.1.349) and earlier are also vulnerable to the same vulnerability. In each case users were initially advised to upgrade to the CS6 versions of the expensive design product if they wanted security software.

Security watchers wasted little time on heaping scorn on Adobe's stance, arguing that the vendor was abusing its monopoly position and pushing its customers towards choosing between paying for a security upgrade or leaving themselves at greater risk of hacking attacks. They said Adobe was effectively charging paying customers for security fixes.

"Adobe has abdicated this responsibility," Graham Cluley, senior technology consultant at security vendor Sophos argued. "It has found a critical vulnerability — a security flaw in Photoshop CS5 — that puts its users at risk, and instead of fixing it, the company is advertising the fact that there is a problem where the solution is that you pay for an upgrade to Photoshop CS6."

Photoshop users also vented their frustrations on social networking websites.

As late as Friday afternoon, in response to questions from El Reg, Adobe continued to defend its controversial no-patch-for-CS5 stance.

While Adobe did resolve the vulnerabilities addressed in the security bulletin you are referencing below (APSB12-11) in the Adobe Photoshop CS6 major release, no dot release was scheduled or released for Adobe Photoshop CS5.

In looking at all aspects, including the vulnerabilities themselves and the threat landscape, the team did not believe the real-world risk to customers warranted an out-of-band release for the CS5 version to resolve these issues.

The security bulletin for Photoshop is rated as a Priority 3 update, indicating that it is a product that has historically not been a target for attackers, and in this case we are not aware of any exploits targeting any of the issues fixed. Installation of the upgrade is therefore at the user's/administrator's discretion.

Hours later, Adobe performed an abrupt U-turn and promised to issue a fix for Adobe Photoshop version CS5, something it should have done in the first place. Arguments advanced by Adobe last week – that the vulnerability was "theoretical" or that hackers weren't after its software – were shown to be weak and just plain wrong more than 10 years ago, as Microsoft would be able to testify.

Adobe has modified its original 8 May advisory to say it is developing patches for the critical holes in the CS5.x versions of Adobe Photoshop, Adobe Illustrator CS5.x and Adobe Flash Professional CS5.x. It's unclear when these patches will become available.

"Adobe has released Adobe Photoshop CS6 (paid upgrade), which addresses these vulnerabilities," the revised version of the advisory continues to say. "We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.