Menu
Adobe: Pay upgrade price to patch critical bugs

Adobe: Pay upgrade price to patch critical bugs

Move is a 'PR disaster,' says one security expert; another calls it return to 'dunce cap seat'

Adobe has told users of its Creative Suite, which includes the company's premier products like Photoshop and Illustrator, to spend $375 to upgrade if they want patches for eight critical vulnerabilities.

Adobe will not be fixing the flaws in older editions of Photoshop, Illustrator and Flash Professional -- all components of Creative Suite -- even though it has rated the bugs as critical, and addressed the vulnerabilities in Creative Suite 6 (CS6), which launched late last month.

On Tuesday, Adobe issued security alerts for eight vulnerabilities in Photoshop 5 and earlier, and Illustrator and Flash Professional 5.5 and earlier. Of the eight bugs, one is in Flash Professional, two are in Photoshop and five in Illustrator.

According to Adobe, the vulnerabilities could be exploited "to take control of the affected system," and affect both Windows and Mac versions of the software. But rather than patch the bugs in the older programs, Adobe told users to upgrade to CS6.

"Adobe has released Adobe Photoshop CS6, which addresses these vulnerabilities," the advisory for the popular image editor stated. "For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources."

Users were furious.

"There's no excuse for this," ranted someone identified as "Smerity" on a discussion board at Hacker News.

"Adobe Photoshop CS5.5 has a critical security vulnerability, but the remedy is forced PAID upgrade to CS6? Genius," said "Kontra" on Twitter Thursday.

Security experts were astounded that Adobe would stoop to such tactics.

"This is totally unbecoming of them," said Andrew Storms, director of security operations at nCircle Security, in an interview today via instant messaging. "For all that they have been doing to revise their face of security, this just brings them right back into the dunce cap seat."

"What a PR disaster," chimed in Graham Cluley, senior technology consultant at U.K.-based Sophos, in a Friday blog post.

Both Storms and Cluley noted the significant outlay Adobe expects users to make to quash the bugs.

Upgrade prices for the three affected applications are $199 each; an upgrade to CS6 Design & Web Premium, the least-expensive edition that includes all three, runs $375. "That's no small bit of change," said Storms.

Adobe today confirmed that the older software would not be patched, and explained why it wouldn't update those editions.

"No dot release was scheduled or released for Adobe Photoshop CS5," said a company spokeswoman. "In looking at all aspects, including the vulnerabilities themselves and the threat landscape, the team did not believe the real-world risk to customers warranted an out-of-band release for the CS5 version to resolve these issues."

That's just tempting fate.

"Adobe saying that Photoshop is not a target is like putting out a welcome mat," Storms said. "I'm sure they used to think that PDF wasn't a target, either."

Storms also blasted Adobe for abandoning its users.

"If the prior product was five years old, then I could understand it from a lifecycle perspective," he said. "But Photoshop CS5 is just over two years old."

Adobe launched CS5 in mid-April 2010, and CS5.5 in April 2011.

The vulnerabilities in Photoshop could be exploited with malicious .tif image files, Adobe said. It did not describe the possible attack vectors against Illustrator or Flash Professional.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Upcoming

Slideshows

IN PICTURES: Nutanix's .NEXT channel event in Sydney (+20 photos)

IN PICTURES: Nutanix's .NEXT channel event in Sydney (+20 photos)

Nutanix recently held its customer and channel event, .NEXT, in Sydney. The event, held at the Sheraton on the Park saw attendance from more than 150 channel and technology partners and customers. It was the first in a series of events Nutanix is holding in A/NZ in August and September, the objective of which is to brief partners and customers on “what’s next” in the design and management of datacentre technology.

IN PICTURES: Nutanix's .NEXT channel event in Sydney (+20 photos)
IN PICTURES: EDGE 2015 sponsor debrief (+23 photos)

IN PICTURES: EDGE 2015 sponsor debrief (+23 photos)

Some of the sponsors of ARN's inaugural EDGE 2015 event got together at the ARN office for a debrieef of the event. Over some drinks and cheese, these attendees got an update on some key statistics that arose from the EDGE event and discussed potential topics and improvements that can be made at next year's event.

IN PICTURES: EDGE 2015 sponsor debrief (+23 photos)
IN PICTURES: ARN Distributor Roundtable, Sydney, 26.08.15 (+26 photos)

IN PICTURES: ARN Distributor Roundtable, Sydney, 26.08.15 (+26 photos)

ARN hosted a distributor roundtable at Cafe Del Mar in Sydney, at which attendees and their partners discussed the changing role of the traditional IT distributor. They spoke about the challenges of digital disruption, the blurring lines of the channel in the age of digital transformation, and examined the ever-evolving business models. This roundtable was sponsored by Distribution Central, Exclusive Networks, Rhipe, and Hemisphere Technologies. Photos by ARN Editorial Director, Mike Gee.

IN PICTURES: ARN Distributor Roundtable, Sydney, 26.08.15 (+26 photos)

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments