Feeds

Adobe backs down, patches critical Photoshop CS5 hole

Paid upgrade fix row leaves a nasty taste

Next gen security for virtualised datacentres

Adobe backed down on Friday and promised to release a fix for earlier versions of its Photoshop software after previously insisting users who wanted to safeguard themselves from a critical security vulnerability had to pay for an upgrade.

A security flaw in Adobe Photoshop version CS5 and earlier means users could be exposed to malware providing they were tricked into opening a boobytrapped .TIF file. Adobe's initial response to the discovery of the flaw was an issue an advisory pointing out that users of the latest Adobe Photoshop version CS6 were immune to the cross-platform flaw. The software giant initially declined the issue a security patch for earlier versions of the software on the dubious grounds that because Photoshop "has historically not been a target for attackers", the risk level was supposedly low.

This view was mistaken for several reasons, including the plausibility of possible exploits and the fact that Adobe applications, in general, have become a prime target for hackers over the last two or three years.

Instead of offering a security patch, Adobe initially advised users of earlier versions of Photoshop to "exercise caution" over what files they open with their applications. If that wasn't good enough then an upgrade to Adobe Photoshop CS6 would do the trick, at a cost of $199 (£124) or more. Adobe Photoshop CS6 was only released in early May 2012, just days before the security issue with earlier versions of the product became public knowledge.

Photoshop version CS5.5, released last year, doesn't need to be patched.

Adobe Photoshop version CS5 is around two years old and certainly not a discontinued product. The widely used application remains on sale through various channels.

Adobe Illustrator CS5.5 and earlier, and Adobe Flash Professional CS5.5 (11.5.1.349) and earlier are also vulnerable to the same vulnerability. In each case users were initially advised to upgrade to the CS6 versions of the expensive design product if they wanted security software.

Security watchers wasted little time on heaping scorn on Adobe's stance, arguing that the vendor was abusing its monopoly position and pushing its customers towards choosing between paying for a security upgrade or leaving themselves at greater risk of hacking attacks. They said Adobe was effectively charging paying customers for security fixes.

"Adobe has abdicated this responsibility," Graham Cluley, senior technology consultant at security vendor Sophos argued. "It has found a critical vulnerability — a security flaw in Photoshop CS5 — that puts its users at risk, and instead of fixing it, the company is advertising the fact that there is a problem where the solution is that you pay for an upgrade to Photoshop CS6."

Photoshop users also vented their frustrations on social networking websites.

As late as Friday afternoon, in response to questions from El Reg, Adobe continued to defend its controversial no-patch-for-CS5 stance.

While Adobe did resolve the vulnerabilities addressed in the security bulletin you are referencing below (APSB12-11) in the Adobe Photoshop CS6 major release, no dot release was scheduled or released for Adobe Photoshop CS5.

In looking at all aspects, including the vulnerabilities themselves and the threat landscape, the team did not believe the real-world risk to customers warranted an out-of-band release for the CS5 version to resolve these issues.

The security bulletin for Photoshop is rated as a Priority 3 update, indicating that it is a product that has historically not been a target for attackers, and in this case we are not aware of any exploits targeting any of the issues fixed. Installation of the upgrade is therefore at the user's/administrator's discretion.

Hours later, Adobe performed an abrupt U-turn and promised to issue a fix for Adobe Photoshop version CS5, something it should have done in the first place. Arguments advanced by Adobe last week – that the vulnerability was "theoretical" or that hackers weren't after its software – were shown to be weak and just plain wrong more than 10 years ago, as Microsoft would be able to testify.

Adobe has modified its original 8 May advisory to say it is developing patches for the critical holes in the CS5.x versions of Adobe Photoshop, Adobe Illustrator CS5.x and Adobe Flash Professional CS5.x. It's unclear when these patches will become available.

"Adobe has released Adobe Photoshop CS6 (paid upgrade), which addresses these vulnerabilities," the revised version of the advisory continues to say. "We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available." ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?