Feeds

Adobe backs down, patches critical Photoshop CS5 hole

Paid upgrade fix row leaves a nasty taste

Providing a secure and efficient Helpdesk

Adobe backed down on Friday and promised to release a fix for earlier versions of its Photoshop software after previously insisting users who wanted to safeguard themselves from a critical security vulnerability had to pay for an upgrade.

A security flaw in Adobe Photoshop version CS5 and earlier means users could be exposed to malware providing they were tricked into opening a boobytrapped .TIF file. Adobe's initial response to the discovery of the flaw was an issue an advisory pointing out that users of the latest Adobe Photoshop version CS6 were immune to the cross-platform flaw. The software giant initially declined the issue a security patch for earlier versions of the software on the dubious grounds that because Photoshop "has historically not been a target for attackers", the risk level was supposedly low.

This view was mistaken for several reasons, including the plausibility of possible exploits and the fact that Adobe applications, in general, have become a prime target for hackers over the last two or three years.

Instead of offering a security patch, Adobe initially advised users of earlier versions of Photoshop to "exercise caution" over what files they open with their applications. If that wasn't good enough then an upgrade to Adobe Photoshop CS6 would do the trick, at a cost of $199 (£124) or more. Adobe Photoshop CS6 was only released in early May 2012, just days before the security issue with earlier versions of the product became public knowledge.

Photoshop version CS5.5, released last year, doesn't need to be patched.

Adobe Photoshop version CS5 is around two years old and certainly not a discontinued product. The widely used application remains on sale through various channels.

Adobe Illustrator CS5.5 and earlier, and Adobe Flash Professional CS5.5 (11.5.1.349) and earlier are also vulnerable to the same vulnerability. In each case users were initially advised to upgrade to the CS6 versions of the expensive design product if they wanted security software.

Security watchers wasted little time on heaping scorn on Adobe's stance, arguing that the vendor was abusing its monopoly position and pushing its customers towards choosing between paying for a security upgrade or leaving themselves at greater risk of hacking attacks. They said Adobe was effectively charging paying customers for security fixes.

"Adobe has abdicated this responsibility," Graham Cluley, senior technology consultant at security vendor Sophos argued. "It has found a critical vulnerability — a security flaw in Photoshop CS5 — that puts its users at risk, and instead of fixing it, the company is advertising the fact that there is a problem where the solution is that you pay for an upgrade to Photoshop CS6."

Photoshop users also vented their frustrations on social networking websites.

As late as Friday afternoon, in response to questions from El Reg, Adobe continued to defend its controversial no-patch-for-CS5 stance.

While Adobe did resolve the vulnerabilities addressed in the security bulletin you are referencing below (APSB12-11) in the Adobe Photoshop CS6 major release, no dot release was scheduled or released for Adobe Photoshop CS5.

In looking at all aspects, including the vulnerabilities themselves and the threat landscape, the team did not believe the real-world risk to customers warranted an out-of-band release for the CS5 version to resolve these issues.

The security bulletin for Photoshop is rated as a Priority 3 update, indicating that it is a product that has historically not been a target for attackers, and in this case we are not aware of any exploits targeting any of the issues fixed. Installation of the upgrade is therefore at the user's/administrator's discretion.

Hours later, Adobe performed an abrupt U-turn and promised to issue a fix for Adobe Photoshop version CS5, something it should have done in the first place. Arguments advanced by Adobe last week – that the vulnerability was "theoretical" or that hackers weren't after its software – were shown to be weak and just plain wrong more than 10 years ago, as Microsoft would be able to testify.

Adobe has modified its original 8 May advisory to say it is developing patches for the critical holes in the CS5.x versions of Adobe Photoshop, Adobe Illustrator CS5.x and Adobe Flash Professional CS5.x. It's unclear when these patches will become available.

"Adobe has released Adobe Photoshop CS6 (paid upgrade), which addresses these vulnerabilities," the revised version of the advisory continues to say. "We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.