Adobe users required to pay for security

Adobe users required to pay for security

Summary: Adobe's recent release of patches for Photoshop, Illustrator, Flash Professional and Shockwave have all been marked critical by the company, but users will be required to pay out of their own pocket for almost all of them.

SHARE:

update Adobe's recent release of patches for Photoshop, Illustrator, Flash Professional and Shockwave have all been marked critical by the company, but users will be required to pay out of their own pocket for almost all of them.

(Broken locks image by Bc. Jan Kaláb, CC BY-SA 2.0)

All of the related vulnerabilities, found in each of Adobe's four software suites, have the potential to allow a remote user to execute arbitrary code and take complete control of the user's computer. While the patch for Shockwave is free, no such patch is available for CS5.5, or earlier versions of Photoshop, Illustrator and Flash Professional. Instead, users concerned about the vulnerabilities in these products will be required to purchase upgrades of each product.

Adobe's site says that it will cost $337 to upgrade to Photoshop CS6, $420 to upgrade to Illustrator CS6 and $163.62 to upgrade to Flash Professional CS6. None of the upgrades are available in "bricks-and-mortar" stores and must be downloaded from Adobe's website or shipped to users. Australian prices for the products are significantly higher than in the US, despite the same method of distribution, and some users have taken it upon themselves to find alternative ways to purchase Adobe's products.

Although the vulnerabilities have a severity classification of critical, the ones requiring payment to patch the vulnerabilities have been given the lowest priority rating by Adobe. In its own words, this means that the "update resolves vulnerabilities in a product that has historically not been a target for attackers", and Adobe "recommends administrators install the update at their [own] discretion". The company has also noted in each of the security advisories for Photoshop, Illustrator and Flash Professional that it is not aware of any attacks in the wild that are exploiting the vulnerabilities.

Despite this claim, ZDNet Australia has noted that there is a working proof of concept for the Photoshop vulnerability in the wild, which could make it trivial for a hacker to launch a targeted attack on a user. If Australian users are unwilling to upgrade to the next version of the software, there are no actions that Australians can take, other than to follow Adobe's general advice to "follow security best practices and exercise caution when opening files from unknown or untrusted sources".

Although Photoshop is listed as a pre-order on Adobe's web store, Australian users can still purchase Photoshop CS6 via Adobe's website if they ignore the pre-order text.

The company told ZDNet Australia that "while Adobe did resolve these issues in the Adobe Illustrator/Photoshop/Flash Professional CS6 major releases, no dot release was scheduled or released for Adobe Illustrator/Photoshop/Flash Professional CS5 or CS5.5", and that "the team did not believe the real-world risk to customers warranted an out-of-band release to resolve these issues".

Updated at 10.34am, 11 May 2012: added comment from Adobe and provided clarification on the Australian availability of Photoshop CS6.

Topics: Security, Software Development

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • "Adobe's site says that it will cost $337 to upgrade to Photoshop CS6 (which is currently not yet available for Australians)"

    - Hasn't CS6 been available to Australians since Tue 8 May (Adobe shipped CS6 in the US on Mon 7 May). I'm currently running it here in South Australia.
    johnw1965
    • Hi Johnw1965,

      Adobe's main website currently lists it as preorder only, but we've received additional information from the company on how Australian users can legally download CS6. We'll be issuing an update to this story shortly.

      Cheers,

      Michael.
      Michael Lee (Mukimu)
      • The Creative Cloud is pre-order only this week. That's available on Fri 11 May (US timezone).

        Perpetual licensed products have been available since Mon 7 May (US timezone).
        johnw1965
        • You're right, johnw1965. We've updated our article to show that users can get a copy of CS6 right now. Thanks for the feedback!

          -Michael.
          Michael Lee (Mukimu)
  • The Adobe bulletin says: "Adobe has released Adobe Photoshop CS6 (paid upgrade), which addresses these vulnerabilities. We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x"
    This means that Photoshop CS6 already has the issue fixed while a patch will be released for CS5.x. This doesn't mean CS5.x users will have to pay for patches [or go to CS6] to fix the problem.
    Gisabun
    • When this article was written, Adobe had told us that no patch was "scheduled or released". The company, to its credit, has now reversed this decision and updated its security bulletins (check the publication and last updated dates on the bulletins) to reflect the fact that they are now going to release patches for 5.x.

      This article has the latest on Adobe's change in decision: http://www.zdnet.com.au/adobe-will-now-issue-free-security-fixes-for-cs5-apps-339337773.htm

      -Michael.
      Michael Lee (Mukimu)