Adobe users required to pay for security

Summary:Adobe's recent release of patches for Photoshop, Illustrator, Flash Professional and Shockwave have all been marked critical by the company, but users will be required to pay out of their own pocket for almost all of them.

update Adobe's recent release of patches for Photoshop, Illustrator, Flash Professional and Shockwave have all been marked critical by the company, but users will be required to pay out of their own pocket for almost all of them.

(Broken locks image by Bc. Jan Kaláb, CC BY-SA 2.0)

All of the related vulnerabilities, found in each of Adobe's four software suites, have the potential to allow a remote user to execute arbitrary code and take complete control of the user's computer. While the patch for Shockwave is free, no such patch is available for CS5.5, or earlier versions of Photoshop, Illustrator and Flash Professional. Instead, users concerned about the vulnerabilities in these products will be required to purchase upgrades of each product.

Adobe's site says that it will cost $337 to upgrade to Photoshop CS6, $420 to upgrade to Illustrator CS6 and $163.62 to upgrade to Flash Professional CS6. None of the upgrades are available in "bricks-and-mortar" stores and must be downloaded from Adobe's website or shipped to users. Australian prices for the products are significantly higher than in the US, despite the same method of distribution, and some users have taken it upon themselves to find alternative ways to purchase Adobe's products.

Although the vulnerabilities have a severity classification of critical, the ones requiring payment to patch the vulnerabilities have been given the lowest priority rating by Adobe. In its own words, this means that the "update resolves vulnerabilities in a product that has historically not been a target for attackers", and Adobe "recommends administrators install the update at their [own] discretion". The company has also noted in each of the security advisories for Photoshop, Illustrator and Flash Professional that it is not aware of any attacks in the wild that are exploiting the vulnerabilities.

Despite this claim, ZDNet Australia has noted that there is a working proof of concept for the Photoshop vulnerability in the wild, which could make it trivial for a hacker to launch a targeted attack on a user. If Australian users are unwilling to upgrade to the next version of the software, there are no actions that Australians can take, other than to follow Adobe's general advice to "follow security best practices and exercise caution when opening files from unknown or untrusted sources".

Although Photoshop is listed as a pre-order on Adobe's web store, Australian users can still purchase Photoshop CS6 via Adobe's website if they ignore the pre-order text.

The company told ZDNet Australia that "while Adobe did resolve these issues in the Adobe Illustrator/Photoshop/Flash Professional CS6 major releases, no dot release was scheduled or released for Adobe Illustrator/Photoshop/Flash Professional CS5 or CS5.5", and that "the team did not believe the real-world risk to customers warranted an out-of-band release to resolve these issues".

Updated at 10.34am, 11 May 2012: added comment from Adobe and provided clarification on the Australian availability of Photoshop CS6.

Topics: Security, Software Development

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.