Both Apple and Microsoft are good about releasing security-related updates to the previous generations of their software. Apple continues to keep Mac OS X 10.6 Snow Leopard updated even while 10.7 Lion is current, and Microsoft ensures that both Office 2011 and Office 2008 don’t become vectors for attacks as well.
But Adobe seemed to be tone-deaf to this approach with its initial plan to fix the latest security vulnerability in Photoshop CS5 and earlier for both Mac OS X and Windows. In short, a maliciously crafted TIFF file could corrupt memory in such a way as to allow an attacker to take control of the affected system. Adobe has known about the vulnerability since late September 2011, and rates it as critical, but of the lowest of three priority levels. Presumably because of the low priority, Adobe initially chose to close the hole only in Photoshop CS6, which is a $199 upgrade.
What if you didn’t want to upgrade to Photoshop CS6, which may involve learning curve and plug-in compatibility costs beyond the $199 upgrade fee? Adobe said, “For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.”
Ouch. It’s bad to use security vulnerabilities as a reason to encourage paid upgrades.
Three days after posting the initial security bulletin about this issue — and catching a considerable amount of heat from professional users and the press — Adobe changed its stance. The company is now promising a security update to Photoshop CS5.x (along with Illustrator and Flash Professional, which were apparently also vulnerable). No mention was made of previous versions, nor was a release date given.
Beyond that, the real problem is that now that the vulnerability has been made public, it’s just asking to be exploited by malware authors who know that there is a very large population of Photoshop users who won’t have updated to CS6, especially given that CS6 has been available for only a few weeks. Worse, there are plenty of people — think schools with unsophisticated users and older machines — who won’t be able to upgrade to CS6 for some time, if ever. We’ve already seen SabPub and Flashback targeting already-closed vulnerabilities — how long will it be before new variants utilize this one?
Until the update for Photoshop CS5.x appears, and in general if you’re using an earlier version, be careful of Trojans bearing TIFFs.