Yesterday, SecurityWeek reported on a decision by Adobe to forgo developing a software patch to address code execution vulnerabilities in three applications under its popular CS5 creative suite.
The problem exists within the parsing of TIFF images (a common format used for print images). If a malicious TIFF is opened, an attacker could execute code on the system with the privileges of the active user. The vulnerabilities impact both the Windows and Mac versions of the imaging software.
Instead of developing a patch for the software, Adobe originally said that in order to fix the issue, users would have to upgrade their software to the newer CS6 version—something users would have to pay for.
“In looking at all aspects, including the vulnerabilities themselves and the threat landscape, the team did not believe the real-world risk to customers warranted an out-of-band release for the CS5 version to resolve these issues,” an Adobe spokesperson originally told SecurityWeek.
But since then, and after complaints, bad press, and user backlash, Adobe has changed its tune. The company now says that it is in the process of developing a patch that won’t essentially force users to upgrade in order to fix the security vulnerability.
“We are in the process of resolving the vulnerabilities addressed in these Security Bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x, and will update the respective Security Bulletins once the patches are available,” Adobe’s David Lenoe wrote in a blog post late Friday.
Developing a patch, especially for three different applications, can be costly and time consuming. Developing these patches consumes development resources, then must run through a QA process, and the patch needs to be communicated and distributed to users. And for a company like Adobe with a massive customer base using its Photoshop, Illustrator, and Flash Professional, the bandwidth cost alone can be substantial.
For a popular product that was just over two years old, providing a fix to address a serious security flaw its what customers deserve. And while Adobe may have originally tried to sneak by without addressing the issue and pushing users to upgrade to its new product, the company made the right move in the end.
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- Virtual Event Today: Supply Chain & Third-Party Risk Summit
- Ferrari Says Ransomware Attack Exposed Customer Data
- Webinar Today: How to Build Resilience Against Emerging Cyber Threats
- Make Your Picks: Cyber Madness Bracket Challenge Starts Today
- Cyber Madness Bracket Challenge – Register to Play
- Watch Sessions: Ransomware Resilience & Recovery Summit
- Webinar Today: Entering the Cloud Native Security Era
- White House Releases National Cybersecurity Strategy
Latest News
- CISA, NSA Issue Guidance for IAM Administrators
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- Tackling the Challenge of Actionable Intelligence Through Context
- Dole Says Employee Information Compromised in Ransomware Attack
- Backslash Snags $8M Seed Financing for AppSec Tech
