Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Adobe Relents on $199 Photoshop Security Fix

Both Apple and Microsoft are good about releasing security-related updates to the previous generations of their software. Apple continues to keep Mac OS X 10.6 Snow Leopard updated even while 10.7 Lion is current, and Microsoft ensures that both Office 2011 and Office 2008 don’t become vectors for attacks as well.

But Adobe seemed to be tone-deaf to this approach with its initial plan to fix the latest security vulnerability in Photoshop CS5 and earlier for both Mac OS X and Windows. In short, a maliciously crafted TIFF file could corrupt memory in such a way as to allow an attacker to take control of the affected system. Adobe has known about the vulnerability since late September 2011, and rates it as critical, but of the lowest of three priority levels. Presumably because of the low priority, Adobe initially chose to close the hole only in Photoshop CS6, which is a $199 upgrade.

What if you didn’t want to upgrade to Photoshop CS6, which may involve learning curve and plug-in compatibility costs beyond the $199 upgrade fee? Adobe said, “For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.”

Ouch. It’s bad to use security vulnerabilities as a reason to encourage paid upgrades.

Three days after posting the initial security bulletin about this issue — and catching a considerable amount of heat from professional users and the press — Adobe changed its stance. The company is now promising a security update to Photoshop CS5.x (along with Illustrator and Flash Professional, which were apparently also vulnerable). No mention was made of previous versions, nor was a release date given.

Beyond that, the real problem is that now that the vulnerability has been made public, it’s just asking to be exploited by malware authors who know that there is a very large population of Photoshop users who won’t have updated to CS6, especially given that CS6 has been available for only a few weeks. Worse, there are plenty of people — think schools with unsophisticated users and older machines — who won’t be able to upgrade to CS6 for some time, if ever. We’ve already seen SabPub and Flashback targeting already-closed vulnerabilities — how long will it be before new variants utilize this one?

Until the update for Photoshop CS5.x appears, and in general if you’re using an earlier version, be careful of Trojans bearing TIFFs.


Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <>

Comments about Adobe Relents on $199 Photoshop Security Fix
(Comments are closed.)

Adam Engst  An apple icon for a TidBITS Staffer 2012-05-12 11:21
Good to see that they're doing the right thing - if only they'd said this from the beginning. It's not like this vulnerability is new.
smith-dewey  2012-05-12 07:28
I'm a long time graphic artist (pre-dating the original Mac) and have always dutifully purchased upgrades to the Adobe products I used to earn a living. But no more. Creative Suite jumped the shark some time back. Adobe products suffer from so much bloat, and now they are leaving a security hole in such a recent version of the product? I'll endure the pain of a learning curve and switch to Pixelmator as my main image editing program. I purchased via the Mac app store when it hit version 2, and have used as a secondary program, but no longer. Will reserve my trips to Photoshop to the really odd times when I might not find a feature in Pixelmator.

As my work is now mostly Web, I no longer rely on InDesign as much as I did a half dozen years back. I see no compelling reasons to "upgrade" to the latest.

This is an epiphany, for as I said early I automatically upgraded to Adobe products as soon as they came out. However, I think their day has passed, as it did for Quark earlier.
George  2012-05-12 14:58
$199.00 that I have to pay to fix Adobe's error. Another reason to turn away from Adobe.

Adobe is possibly the most greedy company of the computer business.
Steve Werner  2012-05-12 15:18
George, read comment #1. You won't have to pay.
Your article starts: "Both Apple and Microsoft are good about releasing security-related updates to the previous generations of their software." But is this really true of Apple? I've been seeing warnings that, if it follows its historical pattern, Apple will stop issuing security updates for Snow Leopard when Mountain Lion ships -- no matter how many S.L. users there still are. Microsoft seems to maintain backwards compatibility and support far longer than Apple does, in various ways.
Adam Engst  An apple icon for a TidBITS Staffer 2012-05-15 05:25
For the most part, yes, Apple will stop releasing updates for Snow Leopard once Mountain Lion is out. Their policy is to maintain security updates for one generation back. But, they just released two security-related updates for Leopard (to disable Flash and remove Flashback) so they seem willing to bend that rule as necessary.

I think Microsoft is indeed better about this, but they sort of have to be, since people tend to avoid upgrading Windows and Windows apps as much. There are still vast numbers of Windows XP installations out there, despite it having been supplanted by both Vista and Windows 7. Now that I look more closely, Microsoft lays out their support policy at:

where they say that business products get 5 years of mainstream support and 5 more years of extended support. It's somewhat less for consumer and hardware products, obviously.
"I think Microsoft is indeed better about this, but they sort of have to be, since people tend to avoid upgrading Windows and Windows apps as much."

There may be a bit of chicken-and-egg issue there. Maybe one of the reasons people don't upgrade Windows as much is that they still get support if they don't. Anyway, I wouldn't really care except that Apple's recent "upgrades" feel like downgrades to me.
Steve Jobs was well known for being two things: a little nuts about some things, and also right on the money. Apple jumped the gun a few times w/GUI, multitasking, color, sound, USB, Firewire, floppy delete [and soon opticals gone too], many others early where the world came around and was thrilled (eventually). Steve hated both Adobe & Java, and this month I don't wonder why. The thing is: what is the alternative to these monopolies? I get a little testy about Apple ditching support and backwards compatibility for this or that, but Adobe has really abused their monopoly the past few years (and I am not ready for GIMP just yet), and this time it is stupidity, for announcing the specifics of an unpatched vulnerability, and then suggesting owners of the most expensive mass-market software drop more cash in their plate. CS (at least P-shop!) replacement, anyone? Anyone? You'd make at least a buck per line of code. . .