After stating last week that users who wanted to patch security flaws in Illustrator, Photoshop and Flash Professional would have to upgrade to new versions of the software for as much as $249, Adobe recently announced that it would soon release free patches for legacy versions of each application.
“We are in the process of resolving the vulnerabilities addressed in these Security Bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x, and will update the respective Security Bulletins once the patches are available,” Adobe’s David Lenoe wrote in a blog post.
“The vulnerabilities in Photoshop could be exploited via opening malicious TIFF image files, Adobe said,” writes Macworld’s Jackie Dove. “It did not describe the possible attack methods targeting Illustrator or Flash Professional. According to Adobe, the security issues — which it characterized as ‘critical vulnerabilities’ — could be exploited ‘to take control of the affected system.'”
“Last week, Adobe said it would not quash the bugs — one is in Flash Professional, two in Photoshop and five in Illustrator — and told customers to upgrade to the Creative Suite 6 (CS6) editions if they wanted the patches,” writes Computerworld’s Gregg Keizer. “Adobe launched CS6 last month. The steep upgrade prices, however, triggered anger among users and incredulousness among security researchers.”
“It’s good that they did this, but the original decision to not issue updates and force people to upgrade to CS6 left a bad taste for many users,” write The Loop’s Jim Dalrymple and Peter Cohen.
“Photoshop, Illustrator and Flash Professional are widely deployed in the creative industry and are used by professional graphic artists and others and not so much by consumers,” writes Threatpost’s Dennis Fisher. “Though these applications don’t have the massive install bases that Flash and Reader do and therefore aren’t key targets for attackers, the fact that the vulnerabilities in the apps are remotely exploitable and can be used to take complete control of victims’ machines makes them dangerous bugs. Adobe did not say when the patches for these vulnerabilities will be available.”