Adobe yesterday released security updates that patch several vulnerabilities in Adobe Illustrator CS5 and Adobe Photoshop CS5.
"The update for Illustrator applies to both Windows and Macintosh versions of the CS5 15.0.x and CS5.5 15.1 product, fixing six separate memory corruption vulnerabilities," writes Threatpost's Christopher Brook. "The Photoshop update fixes both Windows and Macintosh versions of the CS5 12.0 and CS5.1 12.1 product and addresses two buffer overflow vulnerabilities, one stack-based, which could lead to code execution. Adobe fixed the Photoshop and Illustrator problems when the company released its Creative Suite 6 (CS6) software collection last month, yet failed to immediately address the issues of those who elected not to upgrade from its CS5 collection."
"When Adobe originally announced the vulnerabilities, it told users that the only way to close them would be to upgrade to the latest, and recently released, versions of the software. In the case of Photoshop, that would have been a cost of ... $199," The H Security reports. "Adobe argued that they did not believe 'the real-world risk' warranted an 'out of band release to resolve these issues;' this sparked a wave of protest by users. A few days later, on 12 May, the company announced it was changing its advisories and said it was working on patches and would update the advisories when the patches were available."
"Adobe is not aware of any ongoing attacks that target the vulnerabilities patched by the newly released Photoshop and Illustrator security updates, the company said in the corresponding security bulletins," writes Computerworld's Lucian Constantin. "Adobe Flash Professional CS5.5.1 remains vulnerable to a buffer overflow vulnerability that can lead to arbitrary code execution. The company is working on a patch and will release it at a later date."