Pages: 1 [2] 3 4   Go Down

Author Topic: CNET: "Adobe users must pay for security upgrades"  (Read 24241 times)

Farmer

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 2848
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #20 on: May 13, 2012, 03:02:32 am »

You're missing the point. Mark is saying that unless that security risk exists, then there's no need for a patch.  Unless you know that the risk exists, why call for a patch or complain at the lack of one.

Also, calling anyone who disagrees with you or thinks that something Adobe does is reasonable an "apologist" gets old.  If you can't discuss a point without resorting to name calling then you really have nothing of value to say.
Logged
Phil Brown

shotworldwide

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 63
    • shotworldwide.com
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #21 on: May 13, 2012, 03:58:12 am »

If I look at this problem from the other angle - some people can use these vulnerabilities to take over your computer and attack third party companies.
Please correct me if I am wrong.

Does Adobe support these people?

Regards, Filip

--------------------------
http://shotworldwide.com
Logged
Regards, Filip

-----------------------------
http://shotworldwide.com

Farmer

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 2848
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #22 on: May 13, 2012, 04:39:44 am »

Yes, yes I'm sure that Adobe supports these people - that's exactly it.  This is a conspiracy by Adobe to help these people attack their competitors so they can reach the number one position in the market.

Oh, wait...

Logged
Phil Brown

shotworldwide

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 63
    • shotworldwide.com
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #23 on: May 13, 2012, 05:00:16 am »

Actually, if there is a security vulnerability and Adobe refuses to fix it, then yes, Adobe supports them. And this is not a conspiracy theory, this is a reality, because these attacks are happening.

Regards, Filip

--------------------------
http://shotworldwide.com
Logged
Regards, Filip

-----------------------------
http://shotworldwide.com

Gary Brown

  • Full Member
  • ***
  • Offline Offline
  • Posts: 211
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #24 on: May 13, 2012, 06:50:25 am »

Are you certain the same security risk exists in CS4 and CS3? I haven't seen any reference to it.

Adobe's security bulletin says, “Affected software versions: Adobe Photoshop CS5 and earlier versions for Windows and Macintosh” (emphasis added).
Logged

Farmer

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 2848
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #25 on: May 13, 2012, 07:04:00 am »

Actually, if there is a security vulnerability and Adobe refuses to fix it, then yes, Adobe supports them. And this is not a conspiracy theory, this is a reality, because these attacks are happening.

They are happening, are they?  You have any evidence at all that this exploit has actually been used to make an attack?

How about the people who insist on opening unsolicited emails and attachments and opening images from unknown sources take some responsibility and either stop doing that or take security precautions (anti virus, anti malware, DEP, firewalls, etc.)?  Why must Adobe (or any company) provide patches on software that is 2.5 versions old in order to protect against stupidity (which is precisely how I would describe the act of opening such things - the only way known for this exploit to be delivered)?

When they weren't offering it for 5.x then I think there was a very legitimate concern, but once that was covered I think it's reasonable.
Logged
Phil Brown

shotworldwide

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 63
    • shotworldwide.com
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #26 on: May 13, 2012, 07:34:51 am »

They are happening, are they?  You have any evidence at all that this exploit has actually been used to make an attack?

How about the people who insist on opening unsolicited emails and attachments and opening images from unknown sources take some responsibility and either stop doing that or take security precautions (anti virus, anti malware, DEP, firewalls, etc.)?  Why must Adobe (or any company) provide patches on software that is 2.5 versions old in order to protect against stupidity (which is precisely how I would describe the act of opening such things - the only way known for this exploit to be delivered)?

When they weren't offering it for 5.x then I think there was a very legitimate concern, but once that was covered I think it's reasonable.

Many people lock the door even they did not get anything stolen yet ...

And Adobe has millions of users. We pay for the software & software upgrades and obviously some of us wish to keep our computers secure.

Would you post your credit card informations here? The World is safe, isn't?

Regards, Filip

--------------------------
http://shotworldwide.com
« Last Edit: May 13, 2012, 07:38:44 am by shotworldwide »
Logged
Regards, Filip

-----------------------------
http://shotworldwide.com

sniper

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 670
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #27 on: May 13, 2012, 08:28:38 am »

They are happening, are they?  You have any evidence at all that this exploit has actually been used to make an attack?

How about the people who insist on opening unsolicited emails and attachments and opening images from unknown sources take some responsibility and either stop doing that or take security precautions (anti virus, anti malware, DEP, firewalls, etc.)?  Why must Adobe (or any company) provide patches on software that is 2.5 versions old in order to protect against stupidity (which is precisely how I would describe the act of opening such things - the only way known for this exploit to be delivered)?

When they weren't offering it for 5.x then I think there was a very legitimate concern, but once that was covered I think it's reasonable.
Your sure that the people reporting problems have opened "unsolicited emails and attachments and opening images" or is the security vulnerability in photoshop itself?  Theres a big difference.
If Adobe have left customers computers vulnerable then it should be their responsibality to fix it.
Logged

Ben Rubinstein

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 1822
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #28 on: May 13, 2012, 10:19:45 am »

We don't accept it from Microsoft do we? They are still updating my XP and office 2003 versions. Why should we from Adobe?
Logged

Mark D Segal

  • Contributor
  • Sr. Member
  • *
  • Offline Offline
  • Posts: 12512
    • http://www.markdsegal.com
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #29 on: May 13, 2012, 10:55:05 am »

We don't accept it from Microsoft do we? They are still updating my XP and office 2003 versions. Why should we from Adobe?

Ben, this is correct. Any provider of software that is heavily used on a world-wide basis has a material interest in security going back a good number of versions. As for Windows XP, there are still millions of users so Microsoft will do this. In the case of Adobe, fist of all it's a much smaller universe than Windows or OSX, but still important. I've been to PhotoshopWorld a number of times. Early in the first session Scott Kelby does a survey amongst the audience (of about 3000) to gauge how many are using what version of Photoshop. Systematically, judging from the hand-count I would say about 80% or more are up-graded to the latest version. If that's a valid sample, and Adobe would know from their internal metrics, the urgency of patching older versions may be less pronounced than it is in the case of a Microsoft. But my bottom line is that they should do it anyhow, because even if there were still several hundred thousand users of CS3/CS4 hanging around, there is a broader security interest that goes well beyond those users to have these versions patched. As I mentioned early, what matters most are the externalities. Any one infected computer can unknowingly spread it to a great many others. Phil has a point that stupidity plays a role in all of this, but sad to say, there is a good measure of stupidity out there, so like it or not the industry needs to cater for this.
Logged
Mark D Segal (formerly MarkDS)
Author: "Scanning Workflows with SilverFast 8....."

Mark D Segal

  • Contributor
  • Sr. Member
  • *
  • Offline Offline
  • Posts: 12512
    • http://www.markdsegal.com
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #30 on: May 13, 2012, 10:58:13 am »

Are you certain the same security risk doesn't exist in CS4 and CS3?

To me and many others, we've moved considerably past the point of no return in giving Adobe the benefit of the doubt.

May I ask what "doubt" you won't give them your "benefit" of, and what are your credentials for making such sweeping judgments?
Logged
Mark D Segal (formerly MarkDS)
Author: "Scanning Workflows with SilverFast 8....."

David Luery

  • Newbie
  • *
  • Offline Offline
  • Posts: 24
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #31 on: May 13, 2012, 11:51:29 am »

If that's a valid sample, ....

But it almost surely is not a valid sample, in the statistical sense of being an unbiased (roughly speaking, representative) sample of all Photoshop users.  I would imagine that those how attend PhotoshopWorld are more likely to be professionals and less likely to be amateur or hobbiest photographers.  And the amateurs / hobbiests are, I would also imagine, less likely to be on the current version of Photoshop.  Hence, by my logic, the sample of Photoshop users who attend Photoshop World are more likely than the 'average' user to be on the current version
Logged

Mark D Segal

  • Contributor
  • Sr. Member
  • *
  • Offline Offline
  • Posts: 12512
    • http://www.markdsegal.com
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #32 on: May 13, 2012, 11:58:16 am »

But it almost surely is not a valid sample, in the statistical sense of being an unbiased (roughly speaking, representative) sample of all Photoshop users.  I would imagine that those how attend PhotoshopWorld are more likely to be professionals and less likely to be amateur or hobbiest photographers.  And the amateurs / hobbiests are, I would also imagine, less likely to be on the current version of Photoshop.  Hence, by my logic, the sample of Photoshop users who attend Photoshop World are more likely than the 'average' user to be on the current version

That's why I mentioned the qualification - that said, my anecdotal sense of it is that there's a tremendous variety of "cohorts" in that sample - every one from bare beginners through medium-to-advanced amateurs to seasoned professionals who attend. Needless to say I don't have access to Adobe's data but it doesn't matter - what matters is the number of users it takes to create a substantial security risk, and in that sense it's possible that there may be enough users of everything from CS3 onward to justify patching security flaws at least back three versions - if only to give every one peace of mind.
Logged
Mark D Segal (formerly MarkDS)
Author: "Scanning Workflows with SilverFast 8....."

daws

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 282
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #33 on: May 13, 2012, 02:55:14 pm »

Why must Adobe (or any company) provide patches on software that is 2.5 versions old in order to protect against stupidity (which is precisely how I would describe the act of opening such things - the only way known for this exploit to be delivered)?

Thaaat's right, blame the customer for security holes in the app....  ::)
Logged

Mark D Segal

  • Contributor
  • Sr. Member
  • *
  • Offline Offline
  • Posts: 12512
    • http://www.markdsegal.com
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #34 on: May 13, 2012, 03:03:08 pm »

Thaaat's right, blame the customer for security holes in the app....  ::)


Phil wasn't blaming customers for security flaws in the app. He was stating his position about the extent to which he thinks it's reasonable for a company to protect the community from users' own behaviour. He things 1.5 versions is enough; for overall security reasons, I would be a bit more expansive and go back to CS3.
Logged
Mark D Segal (formerly MarkDS)
Author: "Scanning Workflows with SilverFast 8....."

Farmer

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 2848
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #35 on: May 13, 2012, 09:49:38 pm »

Your sure that the people reporting problems have opened "unsolicited emails and attachments and opening images" or is the security vulnerability in photoshop itself?  Theres a big difference.
If Adobe have left customers computers vulnerable then it should be their responsibality to fix it.

So far, there are NO reported cases - only a proof of concept.  It needs someone to deliberately craft a TIFF file to cause the problem, which means if you exercise normal internet security of not opening things that don't come from trusted sources then it's extraordinarily unlikely that you will have a problem.
Logged
Phil Brown

Mark D Segal

  • Contributor
  • Sr. Member
  • *
  • Offline Offline
  • Posts: 12512
    • http://www.markdsegal.com
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #36 on: May 13, 2012, 10:59:11 pm »

So far, there are NO reported cases - only a proof of concept.  It needs someone to deliberately craft a TIFF file to cause the problem, which means if you exercise normal internet security of not opening things that don't come from trusted sources then it's extraordinarily unlikely that you will have a problem.

Phil - yes, but suppose a "trusted source" passes on an infected TIFF because they don't know it's infected? I can easily conjure perfectly innocent scenarios in which this could occur. This security - or perhaps better to say - insecurity business is becoming so sophisticated that unfortunately one needs defense in depth and then hope to be adequately protected.
Logged
Mark D Segal (formerly MarkDS)
Author: "Scanning Workflows with SilverFast 8....."

Farmer

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 2848
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #37 on: May 13, 2012, 11:14:56 pm »

I agree, Mark.  Everyone should be encouraged to practice good security and be responsible netizens.  But, really, how often are people passing TIFFs that will be opened in an Adobe app that are just random files (as opposed to emails with funny pictures in them, which will be viewed)?

All we have at the moment is a proof of concept.  We haven't seen any reported cases in the wild.  We don't know for sure how it affects previous versions.  We don't know whether this will circumvent normal security processes (AV, AM, DEP), so it's a little early to be crucifying Adobe (or anyone) for not going back more than 2.5 versions.

I felt the commentary about not looking at CS5.x was warranted as it is effectively still "current", but I'm not convinced that it needs to ba priority to look at older versions.
Logged
Phil Brown

Mark D Segal

  • Contributor
  • Sr. Member
  • *
  • Offline Offline
  • Posts: 12512
    • http://www.markdsegal.com
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #38 on: May 13, 2012, 11:23:52 pm »

Yes, all those unknowns and uncertainties are there and you may right that the risk is probably not very high, though we can't be sure. I wouldn't "crucify" Adobe over this either, but I also think it's in their interest and everyone elses' to understand the importance of perceptions and take a long and broad view of reputational risk; judging from their latest response they seem to be doing that.
Logged
Mark D Segal (formerly MarkDS)
Author: "Scanning Workflows with SilverFast 8....."

daws

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 282
Re: CNET: "Adobe users must pay for security upgrades"
« Reply #39 on: May 14, 2012, 03:45:52 pm »

The latest from CNET:

Quote
Adobe will issue free security fixes for CS5 apps after all

The company says it's working on patches for Creative Suite 5.x versions of Photoshop, Illustrator, and Flash. Previously, customers would have had to pay to upgrade to CS6 to get the fixes.

May 12, 2012

Adobe has apparently changed its mind about requiring customers to pay to get recent security patches for its Photoshop, Illustrator, and Flash Professional products.

The patches cover vulnerabilities that could let a remote user execute malicious code and take control of computers that are running the products.

A post to Adobe's security blog dated yesterday says the following:

"We are in the process of resolving the vulnerabilities...in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x, and will update the respective Security Bulletins once the patches are available."

Adobe had originally said customers would need to pay to upgrade to the CS6 versions of the products to get the fix.

The company told CNET sister site ZDNet Australia earlier that "while Adobe did resolve these issues in the Adobe Illustrator/Photoshop/Flash Professional CS6 major releases, no dot release was scheduled or released for Adobe Illustrator/Photoshop/Flash Professional CS5 or CS5.5," and that "the team did not believe the real-world risk to customers warranted an out-of-band release to resolve these issues."

Adobe told ZDNet Australia that it wasn't aware of any attacks that were taking advantage of the security flaws, but the news site noted that there is "a working proof of concept for the Photoshop vulnerability in the wild, which could make it trivial for a hacker to launch a targeted attack on a user."

Rich Mogull, a security analyst at Securosis.com, told Macworld that a software maker not issuing security patches for products it still supports breaks with "industry convention and customer expectations. If the products are really out of support, then that's understandable. But [Adobe's] own site shows them still within an active support window." Macworld reported on the CS5.x fixes earlier today.

It's unfortunate for Adobe that it took an explosion of outrage and derision in the social media for Adobe to reverse its original "pay for security" policy.

Unfortunate, too, that there is still no specific mention in the Adobe Product Security blog about vulnerabilities in CS4x or CS3x.




« Last Edit: May 14, 2012, 03:51:37 pm by daws »
Logged
Pages: 1 [2] 3 4   Go Up