Adobe Backtracks On Patching ‘PR Disaster’

Adobe has promised it will patch a flaw in Creative Studio CS5. Previously said users had to pay for an upgrade to get security

Adobe has decided to provide a software patch for a security flaw in Photoshop Creative Suite 5 (CS5), after previously sparking outrage by saying it would leave the flaw unpatched, so anyone who wanted to use the software securely would have to pay for an upgrade to the next version, CS6.

A fierce backlash apparently caused the vendor to think again: a security bulletin now promises a patch that will resolve the vulnerabilities in Adobe Photoshop CS5. Adobe is also working on patches for other vulnerabilities affecting CS5 products.

“We are in the process of resolving the vulnerabilities addressed in these Security Bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x, and will update the respective Security Bulletins once the patches are available,” the company said in a blog post.

The vulnerabilities could have allowed an attacker to take control of an affected system.

A PR nightmare?

A number of industry experts criticised Adobe for asking people to pay twice if they wanted to have a secure product. Graham Cluley, senior technology consultant at Sophos, said the update was “clearly preferable to Adobe customers’ only option being to pay hundreds of dollars to fix their software.”

Cluley had initially labelled the move “a PR disaster” for Adobe. “At first when I heard the news I thought there must be some mistake. Maybe Adobe’s security advisories had been worded poorly and although upgrading – for example, to PhotoShop CS6 – would fix the vulnerability, the firm would also roll out a free patch to users of earlier versions,” Cluley said in a blog post.

Adobe products have had a history of serious security flaws, but the company has usually moved fast to kill off threats, without charging users. In December, the company took some flak for not moving to patch some zero-day vulnerabilities when it said it would.

However, in April, it emerged Apple had reported more vulnerabilities than any other tech vendor in the first quarter of 2012.

Think you know security? Try our quiz!