Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe to Customers Exposed by Vulnerability: Pay to Upgrade or Remain at Risk

Adobe’s Photoshop is a key application within the marketing, advertising, sales, publishing and graphic design markets. Businesses that rely on images to move product use Adobe’s costly flagship product. So when code execution vulnerabilities were discovered in Photoshop 12 (CS5) it’s easy to think that a patch would not only be released, but that it would be free. Those thoughts couldn’t be further from the truth.

Adobe’s Photoshop is a key application within the marketing, advertising, sales, publishing and graphic design markets. Businesses that rely on images to move product use Adobe’s costly flagship product. So when code execution vulnerabilities were discovered in Photoshop 12 (CS5) it’s easy to think that a patch would not only be released, but that it would be free. Those thoughts couldn’t be further from the truth.

Earlier this week, Adobe posted a security bulletin for Photoshop 12 (Creative Suite 5), detailing vulnerabilities that impact both the Windows and Mac versions of the imaging software.

The problem exists within the parsing of TIFF images (a common format used for print images). If a malicious TIFF is opened, the attacker can execute code on the system with the privileges of the active user. 

Given that most users are administrators, and that the TIFF format is associated with CS5 on systems where it is installed, the vulnerability is a perfect example of how a focused attack can gain leverage on a network.

An attacker can scout for organizations using CS5 (by digging for meta data in published documents or using straight social engineering) and deliver malicious TIFF files in order to compromise the network. It isn’t hard to see this playing out, considering that working proof-of-concept (PoC) code is already publically available.

To make matters worse, users are just now being told about the problem, as Adobe first learned of the issue last September (9-20-2011) and the PoC was released in March. Moreover, organizations and individuals using CS5 are essentially stuck with the vulnerability.

Adobe, however, appears to be downplaying the threat associated with the vulnerability.

“In looking at all aspects, including the vulnerabilities themselves and the threat landscape, the team did not believe the real-world risk to customers warranted an out-of-band release for the CS5 version to resolve these issues,” an Adobe spokesperson told SecurityWeek.

Advertisement. Scroll to continue reading.

“The security bulletin for Photoshop is rated as a Priority 3 update, indicating that it is a product that has historically not been a target for attackers, and in this case we are not aware of any exploits targeting any of the issues fixed,” the spokesperson added. “Installation of the upgrade is therefore at the user’s/administrator’s discretion.”

In short, the only way to fix the problem is to pay for CS6. On the low end, an upgrade will cost $199. However, organizations that require CS6 Design Standard, due to the need for Illustrator and InDesign (two common applications for organizations using Photoshop), the cost jumps to $275. Photoshop on its own, complete with the vulnerability fix, is $699 and CS 6 Design Standard (the smallest of the CS family) will cost $1,299. This is an expensive solution.

Some of the firms who need the update can afford it, but what about the organizations that cannot update CS5 for one reason or another, what options do they have?

“For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources,” Adobe’s bulletin explains. 

CS5 was released by Adobe in April 2010. CS6 was launched two years later on April 23, 2012. In this case, it looks as if Adobe is telling customers that they will no longer support CS5. This comes off as strange, given that it is only two years old.

Compare that to other business essential platforms, such as Windows XP. Microsoft will finally end support on for it 13 years after its initial release in 2014. Even Windows ME had 6 years of support after it was replaced.

In the end, Adobe holds all the cards. Organizations either assume the risk or pay for protection.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.