Feeds

Adobe backs down, patches critical Photoshop CS5 hole

Paid upgrade fix row leaves a nasty taste

Securing Web Applications Made Simple and Scalable

Adobe backed down on Friday and promised to release a fix for earlier versions of its Photoshop software after previously insisting users who wanted to safeguard themselves from a critical security vulnerability had to pay for an upgrade.

A security flaw in Adobe Photoshop version CS5 and earlier means users could be exposed to malware providing they were tricked into opening a boobytrapped .TIF file. Adobe's initial response to the discovery of the flaw was an issue an advisory pointing out that users of the latest Adobe Photoshop version CS6 were immune to the cross-platform flaw. The software giant initially declined the issue a security patch for earlier versions of the software on the dubious grounds that because Photoshop "has historically not been a target for attackers", the risk level was supposedly low.

This view was mistaken for several reasons, including the plausibility of possible exploits and the fact that Adobe applications, in general, have become a prime target for hackers over the last two or three years.

Instead of offering a security patch, Adobe initially advised users of earlier versions of Photoshop to "exercise caution" over what files they open with their applications. If that wasn't good enough then an upgrade to Adobe Photoshop CS6 would do the trick, at a cost of $199 (£124) or more. Adobe Photoshop CS6 was only released in early May 2012, just days before the security issue with earlier versions of the product became public knowledge.

Photoshop version CS5.5, released last year, doesn't need to be patched.

Adobe Photoshop version CS5 is around two years old and certainly not a discontinued product. The widely used application remains on sale through various channels.

Adobe Illustrator CS5.5 and earlier, and Adobe Flash Professional CS5.5 (11.5.1.349) and earlier are also vulnerable to the same vulnerability. In each case users were initially advised to upgrade to the CS6 versions of the expensive design product if they wanted security software.

Security watchers wasted little time on heaping scorn on Adobe's stance, arguing that the vendor was abusing its monopoly position and pushing its customers towards choosing between paying for a security upgrade or leaving themselves at greater risk of hacking attacks. They said Adobe was effectively charging paying customers for security fixes.

"Adobe has abdicated this responsibility," Graham Cluley, senior technology consultant at security vendor Sophos argued. "It has found a critical vulnerability — a security flaw in Photoshop CS5 — that puts its users at risk, and instead of fixing it, the company is advertising the fact that there is a problem where the solution is that you pay for an upgrade to Photoshop CS6."

Photoshop users also vented their frustrations on social networking websites.

As late as Friday afternoon, in response to questions from El Reg, Adobe continued to defend its controversial no-patch-for-CS5 stance.

While Adobe did resolve the vulnerabilities addressed in the security bulletin you are referencing below (APSB12-11) in the Adobe Photoshop CS6 major release, no dot release was scheduled or released for Adobe Photoshop CS5.

In looking at all aspects, including the vulnerabilities themselves and the threat landscape, the team did not believe the real-world risk to customers warranted an out-of-band release for the CS5 version to resolve these issues.

The security bulletin for Photoshop is rated as a Priority 3 update, indicating that it is a product that has historically not been a target for attackers, and in this case we are not aware of any exploits targeting any of the issues fixed. Installation of the upgrade is therefore at the user's/administrator's discretion.

Hours later, Adobe performed an abrupt U-turn and promised to issue a fix for Adobe Photoshop version CS5, something it should have done in the first place. Arguments advanced by Adobe last week – that the vulnerability was "theoretical" or that hackers weren't after its software – were shown to be weak and just plain wrong more than 10 years ago, as Microsoft would be able to testify.

Adobe has modified its original 8 May advisory to say it is developing patches for the critical holes in the CS5.x versions of Adobe Photoshop, Adobe Illustrator CS5.x and Adobe Flash Professional CS5.x. It's unclear when these patches will become available.

"Adobe has released Adobe Photoshop CS6 (paid upgrade), which addresses these vulnerabilities," the revised version of the advisory continues to say. "We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available." ®

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.