By Alexandra Burlacu | May 14, 2012 02:20 PM EDT
Recent versions of Adobe's high-profile Creative Suite applications, including Adobe Photoshop, Illustrator, and Flash Professional, have security vulnerabilities on both Windows and Mac platforms. While Adobe initially said users must pay for a CS6 upgrade to fix the problems, subsequently, the company said it will issue free patches to fix the bugs in all three applications. The change was announced in a post on the company's official blog.
"The team decided to make available patches for Photoshop CS5.x, Illustrator CS5.x, and Flash Professional CS5.x," said an Adobe spokesperson, as cited by MacWorld. "We are still in the process of finalizing the timeline for the patches," added the spokesperson. "We will update the respective security bulletins once patches are available." Adobe's official blog also mentions that users can monitor the latest information on the Adobe Product Security Incident Response Team blog or by subscribing to the RSS feed.
According to information published Wednesday on Adobe's security bulletin on the company Web site, security issues compromised Photoshop CS5 and earlier, Illustrator CS5.5 and earlier, and Flash Professional CS5.5 and earlier. The security vulnerabilities in Adobe Photoshop could be exploited by opening malicious TIFF image files, said the company. Adobe characterized the issues as "critical vulnerabilities," which could be exploited to "take control of the affected system."
All of the reported security issues are ranked as Priority 3, which translates into "vulnerabilities in a product that has historically not been a target for attackers." When such cases occur, the company recommends that "administrators install the update at their discretion."
"For users who cannot upgrade...Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources," Adobe stated on its Web site.
Rule of Thumb
Adobe's initial stance requiring users to purchase a CS6 upgrade to fix the issues sparked great controversy, and was highly criticized by security experts and users. "The general rule of thumb is that security patches should be issued for all products still considered in-support, said Securosis security analyst Rich Mogull, as cited by MacWorld. "I recently did some research and found no cases where an out-of-support product was issued security fixes..." Both Adobe CS4 and CS5 are still supported, therefore the company has no excuse not to offer security patches, indicated Mogull.
Adobe launched CS5 in April 2010, and CS5.5 a year later, in April 2011. Photoshop CS6 Extended costs $399 to upgrade, Photoshop costs $199, Illustrator, $249, and Flash Professional, $99. Meanwhile, CS6 Design and Web Premium, the suite which includes all three affected software packages, comes with a $375 price tag. The news of security issues come after a busy week for Adobe, as the company had massive software releases, including its Creative Suite 6 and its Creative Cloud subscription-based products and services.
(reported by Alexandra Burlacu, edited by Dave Clark)