Earlier this week, Adobe shipped critical updates to fix code execution vulnerabilities in the Photoshop and Illustrator software products but users looking for security protection will have to pay for these updates. The upgrade cost is $99 for Adobe Flash Professional, $199 for Adobe Photoshop CS5.5, and $249 for Adobe Illustrator CS5.5. The update for Adobe Shockwave Player is free.
The company acknowledged the vulnerabilities can be exploited to take complete control of affected machines but the fixes are are listed as a "paid upgrade," prompting criticisms that Adobe is forcing users to buy a product upgrade to get protection from cyber-criminals.
Adobe justifies the decision by saying that Photoshop and Illustrator are not targets for cyber-attacks and notes that these fixes are listed as "Priority 3," meaning that affected uses can install the update "at their discretion."
While that argument is certainly valid -- I haven't seen any specific attack against Photoshop or Illustrator -- the fact that the existence of these vulnerabilities is now public will surely raise eyebrows among attackers.
It sets a dangerous precedent to bundle critical security fixes in paid product upgrades and Adobe has to be very careful about leaving its users exposed to attacks. The company has done a phenomenal job in the areas of security response and product hardening but the decision not to backport these critical fixes could backfire and undo a lot of the good work done over the years.
What if a user does not need or cannot justify paying for the new features in a product upgrade that includes a security fix? That user is a sitting duck to malware attacks. The vulnerable code was created by Adobe and the user already paid for that product. Adobe owes it to its userbase to backport these fixes.
Big companies should not get away with forcing users to pay to fix bad code.