Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Changes Tune on Forcing Paid Upgrade to Fix Security Flaws

Yesterday, SecurityWeek reported on a decision by Adobe to forgo developing a software patch to address code execution vulnerabilities in three applications under its popular CS5 creative suite.

Yesterday, SecurityWeek reported on a decision by Adobe to forgo developing a software patch to address code execution vulnerabilities in three applications under its popular CS5 creative suite.

The problem exists within the parsing of TIFF images (a common format used for print images). If a malicious TIFF is opened, an attacker could execute code on the system with the privileges of the active user. The vulnerabilities impact both the Windows and Mac versions of the imaging software.

Instead of developing a patch for the software, Adobe originally said that in order to fix the issue, users would have to upgrade their software to the newer CS6 version—something users would have to pay for.

“In looking at all aspects, including the vulnerabilities themselves and the threat landscape, the team did not believe the real-world risk to customers warranted an out-of-band release for the CS5 version to resolve these issues,” an Adobe spokesperson originally told SecurityWeek.

But since then, and after complaints, bad press, and user backlash, Adobe has changed its tune. The company now says that it is in the process of developing a patch that won’t essentially force users to upgrade in order to fix the security vulnerability.

“We are in the process of resolving the vulnerabilities addressed in these Security Bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x, and will update the respective Security Bulletins once the patches are available,” Adobe’s David Lenoe wrote in a blog post late Friday.

Advertisement. Scroll to continue reading.

Developing a patch, especially for three different applications, can be costly and time consuming. Developing these patches consumes development resources, then must run through a QA process, and the patch needs to be communicated and distributed to users. And for a company like Adobe with a massive customer base using its Photoshop, Illustrator, and Flash Professional, the bandwidth cost alone can be substantial.

For a popular product that was just over two years old, providing a fix to address a serious security flaw its what customers deserve. And while Adobe may have originally tried to sneak by without addressing the issue and pushing users to upgrade to its new product, the company made the right move in the end.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.