By
updated 5/14/2012 1:45:52 PM ET 2012-05-14T17:45:52

UPDATED Monday, May 14, 1:30 p.m. EDT. See end of story.

Serious security vulnerabilities have been discovered in Adobe Photoshop, as well as in its companion applications Adobe Illustrator and Adobe Flash Professional.

Adobe is not issuing a free patch to correct the flaws, however. Instead, the company says that customers who want to protect themselves should pay for the upgrades to the next versions of the software, which were released Monday (May 7). If you don't want to pay, Adobe asks that you "exercise caution."

The vulnerabilities in Photoshop CS5.5 and earlier, Illustrator CS5.5 and earlier and Flash Professional CS5.5 and earlier leave Mac and Windows systems open to remote exploitation by an attacker using a rigged TIFF file, Adobe said in a press release

To tackle this problem, Adobe is recommending its users upgrade to the CS6 equivalents of their affected applications. Doing so will cost $99 for Flash Professional, $199 for Photoshop and $249 for Illustrator.

[Why Do Software Holes Take So Long to Fix?]

An Adobe spokeswoman told SecurityNewsDaily via email that the security threat was not serious enough to warrant a free vulnerability patch.

"In looking at all aspects, including the vulnerabilities themselves and the threat landscape, the team did not believe the real-world risk to customers warranted an out-of-band release for the CS5 and CS5.5 versions to resolve these issues," she wrote.

"The security bulletin for Photoshop is rated as a Priority 3 update, indicating that it is a product that has historically not been a target for attackers, and in this case we are not aware of any exploits targeting any of the issues fixed. Installation of the upgrade is therefore at the user's/administrator's discretion."

Adobe creative software products can be purchased individually or in various "Creative Suite" bundles. The full Creative Suite, with 16 stand-alone applications, retails for $2,599.

Citing numerous complaints that have flooded social-media sites, Graham Cluley from the security firm Sophos  called Adobe's choice to force customers to pay for the new software, "a PR disaster for the company."

New versions of Photoshop and other Adobe creative applications can take months for corporate customers to deploy, and home users often hang on to older versions of Adobe's expensive software for years. Such periods of prolonged vulnerability are often exploited by malware writers, most recently with the Flashback Trojan that leveraged Apple's delay in patching Macs to infect 600,000 machines.

For those users who don't have the cash to pony up for new versions of Photoshop or Illustrator, Adobe recommends that they "follow best practices and exercise caution when opening files from unknown or untrusted sources."

UPDATE: Later Friday, Adobe backtracked on its initial decision and decided it would patch the three applications after all.

© 2012 SecurityNewsDaily. All rights reserved

Discuss:

Discussion comments

,

Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments