Adobe's fix for Photoshop CS5 security issue? Buy Photoshop CS6

Filed Under: Adobe, Apple, Featured, Malware, Vulnerability, Windows

Pay for a security update from AdobeWay to alienate a loyal customerbase, Adobe.

Earlier this week we reported on how users of a bunch of Adobe products, including Photoshop CS5 and earlier, were being warned about serious security issues.

In the case of the Windows and Mac versions of Adobe Photoshop, a vulnerability exists in version CS5 and earlier that could be exploited by a malicious attacker who tricks you into opening a boobytrapped .TIF file in order to take control of your computer.

That's a very serious problem. So, you would imagine that users would be rushing to download the security patch. Right?

Wrong.

Because the only fix that Adobe is making available is for users to upgrade to the latest version of Adobe Photoshop CS6. And that's going to cost users $199 or more. (If you aren't eligible for the upgrade, it will cost $600).

Ouch.

Adobe's advice - pay up

And it's a similar story for Windows and Mac users of Adobe Illustrator CS5.5 and earlier, and Adobe Flash Professional CS5.5 (11.5.1.349) and earlier. In each case, Adobe's answer is for you to pay a not inconsiderable amount of money to update to the next major version of the product in order to benefit from the security fix.

Sure enough, social networks and online forums are buzzing with posts from disgruntled users - angry that they are having to shell out hundreds of dollars for something which is, after all, Adobe's fault.

Photoshop upgradeAdobe meanwhile tells users to "exercise caution" over what files they open with their applications, if they aren't prepared to pay for the upgrade.

What a PR disaster for the company.

At first when I heard the news I thought there must be some mistake. Maybe Adobe's security advisories had been worded poorly and although upgrading - for example, to PhotoShop CS6 - would fix the vulnerability, the firm would also roll out a free patch to users of earlier versions.

But no. Judging by a report from H-Online, Adobe has no plans to publish a free security fix.

Adobe's view is that because Photoshop "has historically not been a target for attackers" the risk level doesn't make it worthwhile to produce a fix that users don't have to pay for.

Maybe Adobe customers who feel nervous opening .TIF files will judge the level of risk for themselves, and prefer to seek alternatives from companies that take better care of their users.

Update: Some good news. Adobe has clearly been influenced by the angry response from its users, and has now said that it will release a patch for Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x. The security patches are not available yet, so be sure to keep your eyes peeled for when they are available.

You can find more details on Adobe's blog.

This is clearly preferable to Adobe customers' only option being to pay hundreds of dollars to fix their software.

, , , , , ,

You might like

31 Responses to Adobe's fix for Photoshop CS5 security issue? Buy Photoshop CS6

  1. Tritter1 · 808 days ago

    Well, considering this immature response from adobe for these vulnerabilities, I guess its better to pirate their software or better still look for better ones

  2. Jay · 808 days ago

    That's why i use GIMP... :D

  3. JeanB · 808 days ago

    There are really no alternatives to Adobe Photoshop. Thats why monopolies are bad!

    • Gordon · 807 days ago

      Try Serif Photoshop X5. Easier to use than Adobe and has a lot more functionality than Gimp. And it's much, much cheaper.

  4. Nathanael · 808 days ago

    Given that there are free bits of software that will convert the TIF to another photoshop compatible file format (presumably wiping out the vulnerability) then maybe that's what they're expecting users to do?

    Seems like a dumb move though; all of a sudden they have that file open in another application; they might realise that small jobs are easy enough to do, and it's quicker to just do it there than loading up the Adobe application... and there's always the risk that the user will find that they don't hate this experience.

    Weird thinking Adobe.

  5. IT Director · 808 days ago

    WHERE DO I SIGN UP FOR THE CLASS-ACTION LAWSUIT??

  6. I smell an antitrust investigation.

  7. Ross · 808 days ago

    Irrespective of a monopoly or antitrust etc, there's a large percentage of their users still using CS3, CS4 and CS5 versions because they still are valuable tools that get the job done. Not providing a patch is really sticking the knife in the back of these users, and Adobe should be ashamed, especially given it's probably not much skin off their nose to do it.

    They still regularly produce patches (security and otherwise) for these suites (the older ones too), as well as their free products - just open Adobe Updater and you'll find them! I can't understand how they can justify not producing just one extra to fix this vulnerability.

  8. Dee · 808 days ago

    GIMP... does most of the same things as Photoshop and it is free. Pixelmator about a quarter of the price if not less... There are alternatives.

    I more or less stopped using Adobe PhotoShop years ago when they kept rolling out "upgrades" almost every year, that had little or nothing in the way of new features (upgrade should mean new features, upDATE is bug fixes...) and they were expensive too boot. So, Adobe has been charging for bug fixes and patches for years - this isn't new for them.

  9. Sue · 808 days ago

    I still have Adobe CS3, which I bought when I was a student. I haven't had any information from Adobe about this, only an announcement of the launch of CS6. If it wasn't for Sophos I wouldn't know anything about it. Adobe did tell me they weren't supporting CS3 any more but I think they should make an exception in this case.

  10. artfrankmiami · 808 days ago

    That's why I'm still on CS3. Does it affect me?

  11. SysEngr1 · 808 days ago

    Think I finally made up my mind -- Corel X6, here I come.

  12. User · 808 days ago

    Adobe's right - the risk is so minimal it's not even worth worrying about. No one is going to hack your computer by sending you a bad TIFF.

  13. I believe this affects all Adobe products that use the TIFF parser library used in pre-CS6 versions of their CS product line. They have not indicated whether it affects CS2 and earlier, but I'm pretty confident it affects CS3 and later.

    The bigger issue here is that CS is an integrated publishing environment... there are no real alternatives for it, even though there are discrete replacements for individual components. A publishing house is not going to switch from CS to a different publishing workflow overnight -- and they aren't going to remove TIFF documents from their workflow either. So, the only safe mitigation options they have are 1) pay for the upgrade for all seats or 2) implement an extra stage of TIFF quarantine and scan for the exploit, and add a security operations manager to the team, tasked with ensuring all new exploits are protected against as they are reported. Upgrading is likely often the cheapest solution.

    • JNWC · 805 days ago

      Sadly, you are 100% correct here. In my industry, there really are no alternatives to the Adobe creative suite. If you work in the print/design industry, chances are very, very good that you're using Creative Suite, and Adobe realizes this. They have recently switched to a yearly release schedule for new full releases in order to better capitalize on this fact, and they somehow think that their customers are OK with this. Really, the amount of hubris they are exhibiting is staggering.

      It kind of reminds me of how cocky Quark was about not immediately creating an OSX version when OSX came out. Look where Quark is now...

  14. Al2ka · 808 days ago

    Will Sophos anti virus products detect any boobytrapped TIF flies containing the latest known Adobe CS5 vunerability? Hence covering our backs for us if we can't afford CS6?

  15. Marc · 808 days ago

    Bad form Adobe, bad form .. Seems like it would be used in targeted attacks. NEVER open ANY file you don't trust, good rule to live by.

  16. Peter_Y · 807 days ago

    (Last updated: May 11, 2012)
    Security Bulletin for Adobe Photoshop (APSB12-11): ... "Adobe Photoshop CS6 addresses these vulnerabilities. [however] We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available." ... So Adobe will provide a patch for CS5.x as soon as they can.

  17. timbearcub · 807 days ago

    Typical Adobe....they're getting more and more like Apple, and apart from Camera RAW they don't seem to support CS versions that long, before you know it it's a laughable update like 5 > 5.5 and they expect me to pay an extra 400 dollars to get Audition, a piece of software I gave beta feedback for, and was previously part of the Mac suite which they then took out, then put back in. Also I bought production bundle, and the 'free gift' never arrived or worked. I don't see any good reason to buy their software - but it is a monopoly.

    There isn't a serious alternative for Photoshop - unlike say other parts of the CS, Quark, FCP, Avid, Motion, Corel Draw etc.

    Those who above say 'use GIMP!' made me laugh and don't work in the industry. Obviously it's great for LOLCats and casual home users etc. but if you work in the creative print or design industries it doesn't cut it at all. Not. even. close.

    Yes I have tried to use GIMP as a professional designer...it's a joke. Paintshop Pro or yes even Corel's old Paint prog or the short lived Image Composer (remember that?) was more usable and professional than GIMP....so serious alternative suggestions for professional designers and photographers, please.

  18. RobinS · 807 days ago

    If we upgrade to CS6, it only encourages Adobe to do the same thing again the next time there is a threat. Adobe has become the most arrogant software company on earth. They are not to be trusted with our business.

  19. Michael Young · 805 days ago

    Adobe have never been big on putting the interests of its products users first.

  20. Ian MacLaren · 805 days ago

    Still no update for CS4. We paid good money for this and it is still fit for purpose for what we do with it. We have no need to upgrade to CS5 or 6, but would appreciate security patches. The one thing the recent Apple / Java thing showed, was that if you leave an unpatched hole for long enough, someone will find a way to use it for something unpleasant.

  21. Sharp · 805 days ago

    I knew that would not last long. If Adobe didn't release an update for CS5, they would have watched sales drop on all their products. It's not just a company market for CS suite, or any of their products for that matter, and does affect individuals who have no interest in updating each year.

    I think that even their delayed approach to patching CS 5.x, will cause an issue with the CS6 sales. People might as well just boycott buying CS6, to leave a mark in their records to remind them of the bad choice they made torward their users.

    I use paint.net as my free alternative. I guess it's not as fancy as photoshop, but it gets the job done. I don't deal with Design much, but I have had a few indepth projects with it.

  22. Leo-leo · 805 days ago

    Does this also affect Adobe Photoshop Elements?

  23. computationalerr · 805 days ago

    I think it goes like this... Lots of people have pirated versions of software that you cannot update, or you could lose activation. They do something stupid like this (before the update) where people "have" to upgrade to get patched, so it is very publicized that there is a vulnerability. Then, they release a patch for it... pretty quickly. Some of the people that would download pirated copies, the "casual copiers", and some of the people that have pirated copies installed get scared, so they go legit.

  24. David Pittle · 805 days ago

    Not a new thing. Adobe products are always expensive, but their customer support is uncooperative and haughty. I have stuck with them until recently, but I find nothing compelling me to "upgrade" to CS5 or 6. However I am about to plunge into the learning curve for Corel Photo Paint Shop Pro.

  25. Absolutemplar · 804 days ago

    Guess what software gets targeted next for vulnerabilities?

  26. Nigel · 804 days ago

    This latest incident is just another insult in the long list of abuses Adobe has been heaping upon their customers.

    Adobe's regard for their customers has been in gradual decline since about the time of their abandonment of PageMaker. But the decline has steepened ever since former CEO and Bill Gates wannabee Bruce Chizen apparently decided that arrogance was a necessary part of his new pseudo-Microsoft company persona.

    Since then, Adobe products have become increasingly user-UN-friendly, their support less accessible or useful, and their disregard for their customers more blatant. Of particular note is their trashing of the Macintosh look and feel in their products --- an ironic snub of the company's own roots as an original developer of innovative Macintosh software.

    I'm not impressed with their relenting on the upgrade vs. update issue. The damage is done. I'm more inclined than ever to find alternatives to Adobe products.

  27. lisa · 800 days ago

    i think their attorneys made them see the light. software so expensive i better get updates! CS5 was a big upgrade for me and i only had it a year! greedy a$$

  28. mvp29 · 797 days ago

    I own CS5.5 and just got an email notifying of my new CS6 license keys. Free upgrade without asking for it.

    I actually think the CS6 UI is a major improvement as well.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.