CNET: "Adobe users must pay for security upgrades"

[daws]

From CNET news:

May 11, 2012

Adobe users must pay for security upgrades

The company has released patches for four of its software suites, but users concerned about the vulnerabilities in these products will be required to purchase upgrades of each product except for one.

Adobe's recent release of patches for Photoshop, Illustrator, Flash Professional, and Shockwave have all been marked critical by the company, but users will be required to pay out of their own pocket for almost all of them.

All of the related vulnerabilities, found in each of Adobe's four software suites, have the potential to allow a remote user to execute arbitrary code and take complete control of the user's computer. While the patch for Shockwave is free, no such patch is available for CS5.5, or earlier versions of Photoshop, Illustrator, and Flash Professional. Instead, users concerned about the vulnerabilities in these products will be required to purchase upgrades of each product

According to Adobe's site, it will cost at least $199 U.S. to upgrade to Photoshop CS6, $249 to upgrade to Illustrator CS6, and $99 to upgrade to Flash Professional CS6.

Thanks a heap, 'Dobe.      (And if you think I'm pissed, wait'll you read the comments posted on the CNET site!)

Can't wait to hear the defenses that will be spun for this one.

[Mark D Segal]

If this is what's really going on, it strikes me as questionable corporate strategy. The whole industry has an interest in keeping the internet a safe place to be and if it means offering free security patches for several versions back, that would seem to be in their interest. It's like networks economics, the case being here that the more people who can be induced to stay safe (say by not having to pay for security patches), the safer the system for everyone.

[bill t.]

I think they're confusing upgrades, as from CS5 to CS6, with security updates.  In some newsroom somewhere, the tech subject writer is on vacation and the fashion editor is filling in as best he can.  Which is not to say those $199 upgrades are less than inflammatory, but at least we're used to it by now.

[Mark D Segal]

If it's just confusion I'm glad to hear that. As for the price of the upgrades - look - they're a business with shareholders and high overheads with big numbers of high-end staff all over the planet delivering state-of-the-art technology. What do you expect?

[Gary Brown]

Here's the Adobe Security Bulletin. It's not written particularly clearly, but it does say that the vulnerability affects “Adobe Photoshop CS5 and earlier versions for Windows and Macintosh.”

As the solution, “Adobe has released Adobe Photoshop CS6 (paid upgrade), which addresses these vulnerabilities. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.”

[daws]

As the solution, “Adobe has released Adobe Photoshop CS6 (paid upgrade), which addresses these vulnerabilities. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.”

In other words, "Dear Customer: buy our upgrade or you're on your own, security-wise."

Incredible.

Having used computers since 1984, I can't recall the customers of a major app ever facing this kind of situation.

Does Adobe seriously believe this won't backfire in their faces?

[bill t.]

I guess I was being too kind.

WTF!  I kinda expect software vendors to fix serious security vulnerabilities for quite a versions back, for no charge and very quickly.  It has something to do with being a responsible citizen in the online world.  Particularly for software packages that cost, what, $800?

Is this a PS bug or something to do with the TIF file format itself?  Not too clear from the writeup.

But some very loud complaining is in order, IMHO.  Adobe needs to perceive this as a PR disaster.

[Tony Jay]

I have read the Adobe update.

Poorly written piece but it appears at this stage that Adobe have no plan to provide a fix for earlier versions of Photoshop.
Clearly this is unacceptable and at the very least a far better explanation of what is going on is required. (Senior executives at a press conference come to mind along with a press release that doesn't read like "Chinese" English.)
A really good explanation of why Adobe will not or cannot fix the issue in earlier versions also needs to be provided.

Any excuses along the lines that previous versions should have been upgraded anyway to exonerate Adobe's responsibility here should be firmly rejected.

Regards

Tony Jay

[daws]

As expected, this thing is exploding across the social media.

From nakedsecurity...

What a PR disaster for the company.

At first when I heard the news I thought there must be some mistake. Maybe Adobe's security advisories had been worded poorly and although upgrading - for example, to PhotoShop CS6 - would fix the vulnerability, the firm would also roll out a free patch to users of earlier versions.

But no. Judging by a report from H-Online, Adobe has no plans to publish a free security fix.

Adobe's view is that because Photoshop "has historically not been a target for attackers" the risk level doesn't make it worthwhile to produce a fix that users don't have to pay for.

From the H-Online Security site mentioned above:

Adobe have responded to the suggestion that they are effectively charging for security updates, saying that they do not believe that "the real-world risk to customers warranted an out-of band release to resolve these issues". On Wednesday, a security bulletin issued by Adobe pointed out security flaws in Photoshop CS5/CS5.5 and Illustrator CS5/CS5.5, but offered only a paid-for upgrade to the very recently released CS6 versions of the applications as a fix for the flaws.

Contacted by The H's associates at Heise Security, the company says it rated the APSB12-11 security bulletin a "priority 3 update" on the basis that "it is a product that has historically not been a target for attackers" and that it was not aware of any exploits targeting the issues that they had fixed. Adobe may be categorising exploits as "code used in anger to cause damage", because there is at least one proof of concept exploit for one of the APSB12-11 vulnerabilities.

Releasing a security advisory will, however, have raised awareness with attackers – especially attackers who use spear-phishing tactics aimed at particular categories of users within an organisation – that such holes exist in Photoshop and that they are potentially exploitable. Adobe says that installation of the upgrade "is therefore at the user's/administrator's discretion". The company also said that no "dot release" or update was scheduled for either Photoshop CS5 or CS5.5 where an "in-band" fix would have been included, so the flaws are likely to persist in the wild for a number of years.

[Farmer]

We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available

http://www.adobe.com/support/security/bulletins/apsb12-11.html

[shotworldwide]

It seems to me that Adobe is doing everything what is possible to make their users more upset … interesting business strategy
 
Regards, Filip

--------------------------
http://shotworldwide.com

[Farmer]

Did you read the updated bulletin?  A patch for CS5.5 will be available.

[shotworldwide]

Phil, first article which I have read today was this one:

http://nakedsecurity.sophos.com/2012/05/11/adobe-photoshop-security/

And I also read many articles regarding upgrades last November …

http://blogs.adobe.com/conversations/2011/11/adobe-creative-cloud-and-adobe-creative-suite-new-choices-for-customers.html?PID=2159997

Regards, Filip

--------------------------
http://shotworldwide.com

[Mark D Segal]

Phil, first article which I have read today was this one:

http://nakedsecurity.sophos.com/2012/05/11/adobe-photoshop-security/

And I also read many articles regarding upgrades last November …

http://blogs.adobe.com/conversations/2011/11/adobe-creative-cloud-and-adobe-creative-suite-new-choices-for-customers.html?PID=2159997

Regards, Filip

--------------------------
http://shotworldwide.com

Maybe you should just accept the fact as reported to us that Adobe is preparing a patch for PSCS5. And I'm pleased they are.

[shotworldwide]

Well, as I upgraded in November from CS3 I obviously don't feel happy as I have to pay twice for CS6. If I would wait like others I would pay only once now.
But don't worry - I will accept it …

Regards, Filip

--------------------------
http://shotworldwide.com

[daws]

We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available

What about the users of CS4 and CS3?

[Farmer]

Dunno.  How far back do you want them to go?  They're doing 1.5 versions back now and the current version.  Seems pretty reasonable.

[daws]

^ I think releasing a patch to fix what Adobe calls a "critical" security risk for CS5x, CS4x and CS3x is very reasonable -- and good customer relations.

The kind of long-range customer relations that seems to be escaping Adobe and its apologists these days.

[Mark D Segal]

Are you certain the same security risk exists in CS4 and CS3? I haven't seen any reference to it.

[daws]

Are you certain the same security risk doesn't exist in CS4 and CS3?

Only a few days ago I was certain no security risk existed in my CS5.5. I learned of it quite by accident, reading CNET news -- no thanks to Adobe.

To me and many others, we've moved considerably past the point of no return in giving Adobe the benefit of the doubt.