Adobe Will Fix Security Holes in CS5.5 Apps
Adobe found itself in hot water last week when it announced its plan to help users overcome a security flaw in key Creative Suite 5.5 applications. The solution? Upgrade to CS6.
The applications affected — Flash Professional, Illustrator, and Photoshop — have security holes that let hackers take control of your system after you open a malicious file, for example, a .TIF file in Photoshop. Versions 5.5 and earlier on both Mac and Windows are vulnerable.
Adobe rated the severity of the problem as Priority 3, which is the lowest rating Adobe administers. The three products affected have "historically not been [targets] for attackers." Furthermore, unlike Priority 1 that advises implementing a fix as soon as possible, for instance within 72 hours, "Adobe recommends administrators install the update at their discretion."
Rather than issue a free security patch for the affected applications, which is customary, Adobe told users to upgrade to CS 6 "which addresses these vulnerabilities." For those who cannot upgrade to CS6, Adobe advised that "users follow security best practices and exercise caution when opening files from unknown or untrusted sources."
The uproar on the Web was instantaneous. Comment boards used strong and colorful language to voice their opinions about Adobe's security policy. Most commentary condemned the practice of requiring a paid upgrade for a security flaw, especially on a version released approximately a year ago (version 5.5 came out in April 2011). So even if you paid full freight for CS5.5, you'd be forced to fork over $399 for an upgrade to Photoshop CS6 Extended alone.
Adobe revealed the security flaws on Tuesday, a day after releasing and its Creative Cloud subscription service. By Friday night Adobe backed down, issuing a statement that said it would release free security patches for the affected software.
The company did not say when those fixes would be available. To learn more about the problem, see Adobe's Security Bulletins or check out the blog of the Adobe Product Security Incident Response Team.