Recent versions of Adobe Photoshop, Illustrator and Flash Professional – the company’s high-profile Creative Suite applications – have security vulnerabilities on both Mac and Windows platforms. On Saturday, Adobe confirmed its plan to issue free patches to fix the problems in all three applications – a reversal of its previous strategy that would have forced users to pay for a CS6 upgrade in order to rectify the problems.
According to an Adobe spokesperson, “The team decided to make available patches for Photoshop CS5.x, Illustrator CS5.x and Flash Professional CS5.x.” The time frame for availability of those fixes is unclear. “We are still in the process of finalising the timeline for the patches,” the spokesperson said. “We will update the respective security bulletins once the patches are available.”
Users can monitor the latest information on the Adobe Product Security Incident Response Team blog or by subscribing to the RSS feed.
Creative Suite security compromised
On Thursday, Adobe had announced that security issues compromised Photoshop CS5 and earlier, Illustrator CS5.5 and earlier and Flash Professional CS5.5 and earlier, according to information published on Adobe’s security bulletin on the company’s website.
The vulnerabilities in Photoshop could be exploited via opening malicious TIFF image files, Adobe said. It did not describe the possible attack methods targeting Illustrator or Flash Professional. According to Adobe, the security issues – which it characterised as “critical vulnerabilities” – could be exploited “to take control of the affected system.”
All the reported security issues are classified as Priority 3, which in Adobe parlance means “…vulnerabilities in a product that has historically not been a target for attackers.” In such cases, Adobe recommends “administrators install the update at their discretion.”
Adobe’s website further stated, “For users who cannot upgrade…Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.”
Whereas Friday that upgrade recommendation would have required buying the new CS6 versions, later in the evening, the company changed its mind and decided to issue free patches for CS5, as is customary with supported products.
In explaining its previous position earlier in the day, the Adobe spokesperson had said that since the vulnerabilities had been resolved with the new CS6 version, “no dot release was scheduled or released for Adobe Photoshop CS5. In looking at all aspects, including the vulnerabilities themselves and the threat landscape, the team did not believe the real-world risk to customers warranted an out-of-band release for the CS5 version to resolve these issues.”
The spokesperson had further said that, “we are not aware of any exploits targeting any of the issues fixed…”
Decision sparks controversy
A number of security experts on Saturday, among many others via Twitter and on their blogs, criticised Adobe’s position.
“The general rule of thumb is that security patches should be issued for all products still considered in-support,” said Rich Mogull, a security analyst at Securosis.com who expressed surprise at Adobe’s initial decision. “I recently did some research on this and found no cases where an out-of-support product was issued security fixes…”
But Adobe CS4 and CS5 are still supported by the company. According to Mogull, not issuing a patch would be tantamount to “…breaking with industry convention and customer expectations. If the products are really out of support, then that’s understandable. But their own site shows them still within an active support window. CS5 is only two years old.”