Photoshop, Illustrator users must pay for critical security updates

Photoshop, Illustrator users must pay for critical security updates

Summary: What if a user does not need or cannot justify paying for the new features in a product upgrade that includes a security fix? That user is a sitting duck to malware attacks.

SHARE:

Earlier this week, Adobe shipped critical updates to fix code execution vulnerabilities in the Photoshop and Illustrator software products but users looking for security protection will have to pay for these updates. The upgrade cost is $99 for Adobe Flash Professional, $199 for Adobe Photoshop CS5.5, and $249 for Adobe Illustrator CS5.5. The update for Adobe Shockwave Player is free.

The company acknowledged the vulnerabilities can be exploited to take complete control of affected machines but the fixes are are listed as a "paid upgrade," prompting criticisms that Adobe is forcing users to buy a product upgrade to get protection from cyber-criminals.

Adobe justifies the decision by saying that Photoshop and Illustrator are not targets for cyber-attacks and notes that these fixes are listed as "Priority 3," meaning that affected uses can install the update "at their discretion."

While that argument is certainly valid -- I haven't seen any specific attack against Photoshop or Illustrator -- the fact that the existence of these vulnerabilities is now public will surely raise eyebrows among attackers.

It sets a dangerous precedent to bundle critical security fixes in paid product upgrades and Adobe has to be very careful about leaving its users exposed to attacks.  The company has done a phenomenal job in the areas of security response and product hardening but the decision not to backport these critical fixes could backfire and undo a lot of the good work done over the years.

What if a user does not need or cannot justify paying for the new features in a product upgrade that includes a security fix?   That user is a sitting duck to malware attacks.   The vulnerable code was created by Adobe and the user already paid for that product.   Adobe owes it to its userbase to backport these fixes.

Big companies should not get away with forcing users to pay to fix bad code.

Topics: Security, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

74 comments
Log in or register to join the discussion
  • Out of curiosity

    Why do Photoshop and Illustrator need to access the internet in the first place? If this is an issue, why not make a deny all rule in the Windows Firewall for the applications?

    Joey
    voyager529
    • Because sometimes

      these applications are used for web development which can require access to the web.

      Also if the computer is connected to the web someone can use a locally installed application to exploit the computer and gain web access. Blocking those programs in the firewall may not do anything.
      bobiroc
      • Firewall considerations...

        I use a security solution that includes an application fire wall in addition to a packet firewall. It provides a panel to restrict access to the intranet and/or the Internet for every application and DLL that is installed in Windows. If you have a Mac, I am not sure what you can do to control or monitor applications that connect to the Internet...
        Splork
      • Dreamweaver, maybe. PS/IL, not so much...

        Yes, bitmap/vector art is a core aspect of web development, but I'm unaware of anyone actually uploading a PSD or EPS onto a website. Photoshop and Illustrator are used to create graphics that in the overwhelming majority of cases find themselves a part of a Dreamweaver or Flash project that *then* get uploaded to the Internet. I see no reason why preventing PS/IL from accessing the internet would impede productivity.

        As for it being a secondary vector, if an application can run with enough access to start Photoshop and cause a buffer overflow yet simultaneously do an end-run around a software firewall that prevents the process from going anywhere north of 127.0.0.1, it sounds like you've already lost.

        Joey
        voyager529
      • Its even more then that, way more.

        When a software company creates a piece of software its implied using it is not going to put your computer at any undue risk. Its long been accepted though that its almost impossible for any significant piece of software to be so perfect it will never be found lacking in security in some way sooner or later. We accept that even the most conscientious of companies will need to typically provide for updates to fix the security problems from time to time.

        The reason we can usually have some confidence in these software companies is that creating and distributing updates cost them money....not us..RIGHT?? I mean, they are not going to go the sloppy code route if its just going to cost them more time and money right later...RIGHT??

        ell, if we just start letting these kind of software companies off the hook for this, it only invites sloppy coding. The way Adobe appears to want to do business makes sloppy coding not only the easier way, it could turn into the more profitable way. Software with built in obsolescence. Pay to fix it or sooner or later its going to jump up and bite you.

        Is this the way its all going to work soon?? You want software? Yes? Well purchase at your own risk because if you want any faith in it your going to keep getting tagged for upgrades and patches?

        Are software companies now trying to eliminate whats becoming known as the "XP Effect"? Where because of the fact that software doesn't wear out, as long as it still works its good to go for as long as it meets your needs? Even forever?

        It sure looks like Adobe is trying to pave the way. Well I would let them pave their way to the bone yard because it stinks. Sure, it sounds like a great business plan, create junk software and then keep people shelling out the bucks on a regular basis to keep it from destroying your whole system.

        Ridiculous.
        Cayble
      • well said. Adobe is looking to cash in on the enterprise users

        Enterprise usage of these programs in sensitive industries will force the companies to pay for update to mitigate the vunerabilities. It just means that adobe can't get enough sales for their product upgrades from normal methods, so they force companies that utilize proffessional products to pay for the protection. If you use the apps and part of let say the DOD or other government agency. These vunerabilities need to be addressed to meet security standards.
        Bakabaka
      • @Cayble

        Isn't "the new normal" of capitalism in the software creation industry cool?
        HypnoToad72
      • Say it again

        @HypnoToad72
        [i]Isn't "the new normal" of capitalism in the software creation industry cool?[/i]

        Say it again brother.
        klumper
      • A corporate dream scheme come true

        @Cayble
        [i]Software with built in obsolescence. Pay to fix it or sooner or later its going to jump up and bite you.[/i]

        Pay me now, [b]AND[/b] pay me later. Fram had it all wrong, silly fools.
        klumper
    • Adobe Products connect to many different Adobe Services

      They're upping the connection to services quite a bit with CS6 products too. Their "Creative Cloud" is supposed to be more like MS effor to connect Office users to their services. How many times has Word or Powerpoint asked you to connect to MS to check for additional help or free templates? Adobe Photoshop Elements 9 will connect to Photoshop.com when you start the app.

      Given that Adobe makes multi-platform programs and suites (Win/OS X), is this an OS specific vulnerability or can the attack vector be multi-platform too? I find the trend for application developers to create programs that must connect to their services to be very disturbing given the new malware strategies that target 3rd party code instead of the OS itself.

      PS Thanx for pointing this out. At last some useful information that goes beyond certain bloggers that repeatedly flog the same issue over and over and over...
      Splork
      • Creative Cloud makes this issue irrelevant though

        From what I understand, Creative Cloud/CS6 is designed such that the suite verifies your subscription once a month, but you also get rolling patches and new releases. When CS7 comes out, you get it as part of your subscription. When security updates come out, the same applies. Thus, the issue in the fine article will only apply to people like me who still insist on Adobe products coming on plastic discs.

        Photoshop elements != Photoshop or Illustrator, though I do agree that certain exploits still apply. Elements is much more highly consumer focused and thus photoshop.com/flikr/youtube uploading would be a more useful feature there than it would be in the pro versions of Photoshop - if you are spending that kind of money on the Adobe Creative Suites, you're much more likely to be uploading via FTP to a real hosting service of some kind. Just about the only internet connectivity I've found useful in Photoshop is Kuler, but even that I can do without. Ultimately, the point still stands - why does Photoshop and Illustrator *need* (as in beneficial for user, not for Adobe) to connect to the internet?

        Joey
        voyager529
      • Please explain how Creative Cloud makes this irrelevant?

        I believe that the service you describe is subscription based updates.

        From the Creative Cloud" login page:
        "[i]All the tools you need to create, collaborate, and stay connected.[/i]"

        Also (emphasis mine):
        "[i]What is Creative Cloud?

        Adobe?? Creative Cloud??? is the digital hub that lets you download and install every Adobe Creative Suite?? 6 application; [b]access online services for file sharing, collaboration, and publishing[/b]; and benefit from new apps and features as soon as they're released ??? giving you the freedom to create anything you can imagine.[/i]"

        That sounds like a much more integrated service to the applications than your description. For the record, Lightroom also publishes to Facebook/flikr/youtube/etc. I don't have a CS Suite yet, but I will on Monday. My most current version of Photoshop is 7 and Illustrator 10. These may only check for updates when directed to.
        Splork
      • How Creative Cloud makes this irrelevant

        @Splork:

        Creative Cloud makes the issue in the fine article irrelevant because the $50 a month Adobe is charging is for the use of the software, patches, and the ability to save your project files in Adobe's cloud storage area. Since patches are a part of the subscription fee, one of Adobe's selling points is the fact that the kinds of issues that Ryan discusses *won't* come into play.

        As stated in the parent post, the issue only applies to people like myself who refuse to buy Adobe software that doesn't come on plastic discs. Since it's a one-time purchase, it is people like myself, not Creative Cloud subscribers, who would need to be concerned with security patches. Adobe's security patch support policy for purchasers (as opposed to subscribers) is what is being called into question.

        Joey
        voyager529
      • @voyager529

        Don't you think that "'Creative' Cloud" is the excuse behind this, effectively forcing the issue while trying to make it look like a choice?

        It's a petty, greedy, unethical cash grab with no responsibility toward anyone.

        No doubt they get taxpayer-funded handouts from government as well just to fatten their wallets too... most large entities do these days (can't they profit off of their own efforts instead of receiving handouts and entitlements? Where've I heard that before and to whom...)
        HypnoToad72
      • Ha! Really?! Really?! Irrelevant or just the other shoe dropping?

        @voyager529

        Nah...not at all irrelevant. Cloudworks business models are the biggest money ripping scheme there is.

        Massive and so friggin' obvious I can hardly believe the whole IT world isnt up on their feet shouting at the top of thier lungs "LOOK OUT!!!!"

        Did you actually write the words "subscription once a month" in relation to not costing ongoing money to keep a program security safe???

        Cloud computing is the most scandelous idea ever produced in the IT industry. When it now cost next to nothing for HD storage and CPU's are only getting more powerful then even needed, your suggestion is to not purchase software ONCE but instead incure recurring monthly costs?

        This is insanity. Someone out there please tell me you see where this whole "cloud computing" plan is trying to take us.

        Just in case you cannot, the plan is to save us the money we spend once every three to five years on hardware by replacing that cost with a monthly fee for every peice of software we use. And be at the whims of the software company, and as well as an internet connection.

        Avoid the cloud. Unless you feel good about just giving it ALL away.
        Cayble
    • Software activation, to ensure you - the customer - is not a thief

      :(
      HypnoToad72
      • BING! BING! BING! BING!

        We have a winner!
        Cayble
  • If an update addresses vulnerabilities it should be free

    If they claim it is because these updates include new features is why they are charging then they need to provide the critical security updates separately without the new features they want to charge for at no cost.

    Adobe can claim that these products are not a target but that is not an excuse as any piece of software or operating system can become a target at any time.
    bobiroc
  • I guess

    I guess when you're Adobe you can pretty much dictate the terms and tell your clients to go suck an egg if they don't like it. Must be nice to not have any serious competition in your product segment.
    dsf3g
    • Gee, that sounds like somebody out in Redmond

      Need I say who?
      ScorpioBlack