Security Experts:

Adobe to Customers Exposed by Vulnerability: Pay to Upgrade or Remain at Risk

Adobe’s Photoshop is a key application within the marketing, advertising, sales, publishing and graphic design markets. Businesses that rely on images to move product use Adobe’s costly flagship product. So when code execution vulnerabilities were discovered in Photoshop 12 (CS5) it’s easy to think that a patch would not only be released, but that it would be free. Those thoughts couldn’t be further from the truth.

Earlier this week, Adobe posted a security bulletin for Photoshop 12 (Creative Suite 5), detailing vulnerabilities that impact both the Windows and Mac versions of the imaging software.

The problem exists within the parsing of TIFF images (a common format used for print images). If a malicious TIFF is opened, the attacker can execute code on the system with the privileges of the active user. 

Given that most users are administrators, and that the TIFF format is associated with CS5 on systems where it is installed, the vulnerability is a perfect example of how a focused attack can gain leverage on a network.

An attacker can scout for organizations using CS5 (by digging for meta data in published documents or using straight social engineering) and deliver malicious TIFF files in order to compromise the network. It isn’t hard to see this playing out, considering that working proof-of-concept (PoC) code is already publically available.

To make matters worse, users are just now being told about the problem, as Adobe first learned of the issue last September (9-20-2011) and the PoC was released in March. Moreover, organizations and individuals using CS5 are essentially stuck with the vulnerability.

Adobe, however, appears to be downplaying the threat associated with the vulnerability.

“In looking at all aspects, including the vulnerabilities themselves and the threat landscape, the team did not believe the real-world risk to customers warranted an out-of-band release for the CS5 version to resolve these issues,” an Adobe spokesperson told SecurityWeek.

“The security bulletin for Photoshop is rated as a Priority 3 update, indicating that it is a product that has historically not been a target for attackers, and in this case we are not aware of any exploits targeting any of the issues fixed,” the spokesperson added. “Installation of the upgrade is therefore at the user’s/administrator’s discretion.”

In short, the only way to fix the problem is to pay for CS6. On the low end, an upgrade will cost $199. However, organizations that require CS6 Design Standard, due to the need for Illustrator and InDesign (two common applications for organizations using Photoshop), the cost jumps to $275. Photoshop on its own, complete with the vulnerability fix, is $699 and CS 6 Design Standard (the smallest of the CS family) will cost $1,299. This is an expensive solution.

Some of the firms who need the update can afford it, but what about the organizations that cannot update CS5 for one reason or another, what options do they have?

“For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources,” Adobe’s bulletin explains. 

CS5 was released by Adobe in April 2010. CS6 was launched two years later on April 23, 2012. In this case, it looks as if Adobe is telling customers that they will no longer support CS5. This comes off as strange, given that it is only two years old.

Compare that to other business essential platforms, such as Windows XP. Microsoft will finally end support on for it 13 years after its initial release in 2014. Even Windows ME had 6 years of support after it was replaced.

In the end, Adobe holds all the cards. Organizations either assume the risk or pay for protection.

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.
view counter