Previous news story    Next news story

Adobe will fix security bug in CS5.x, having originally said CS6 was the fix

By dpreview staff on May 14, 2012 at 16:56 GMT

Adobe has confirmed that it will fix the security problems with Photoshop and other CS5.x packages, having originally suggested that a paid upgrade to CS6 was the only solution. The security concerns, raised by the company on May 8th, were rated as 'critical,' meaning it could 'allow malicious native-code to execute, potentially without a user being aware.' Despite this, the original solution raised in the company security bulletin was to upgrade to CS6, leaving CS5.x users vulnerable. The bulletin has now been updated.

Following us questioning the original approach, Adobe has issued this statement:

'We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available. Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at http://blogs.adobe.com/psirt or by subscribing to the RSS feed at http://blogs.adobe.com/psirt/atom.xml.'

Comments

Total comments: 55
vvhy
By vvhy (May 20, 2012)

I use Photoshop CS5 , Camera Raw 6.7
why the size of 5D3 DNG is larger than the raw file???
I shoot Medium size raw , the size is around 15MB~20MB
but ALL the DNG file is 40% larger than raw
(I didn't embed original raw file)
Anyone faces the same problem?

0 upvotes
Vallkar
By Vallkar (May 15, 2012)

It is time Adobe stopped holding loyal customers to ransom. I believe most upgrades and improvements can be supplied as plugins or service packs (this is where Microsoft scores) - good for users but not good for Adobe. I have used Adobe for over 20 years, upgrading regulary. Not any more. I am looking at other products to replace Adobe products I use. I have already gone back to QuarkXpress from InDesign. Soon I will switch away from Illustrator and Photoshop.

Comment edited 3 times, last edit 9 minutes after posting
2 upvotes
rwl408
By rwl408 (May 16, 2012)

You said it all. It is about time to move away from Adobe. It is simple as that.

0 upvotes
lylejk
By lylejk (May 16, 2012)

For illustrator, I highly recommend Inkscape; it's open source yes, but extremely powerful and getting quite feature rich. I mainly do use GIMP, but the 16/32 issue and RAW does make me open PS for processing when needed. The GIMP Beta 2.9 has finally added 16/32 bit ability but right now they just released the beta so still some bugs to ferret out. GIMP 3.0 will have 16/32 bit image edit ability. Can't beat the price of GIMP either. Lots of online community support too. :)

Comment edited 2 minutes after posting
0 upvotes
Vallkar
By Vallkar (May 16, 2012)

Thanks, Iylejk. I think I will try Inkscape. Currently I am trying CoralDraw which is quite good. For processing RAW I have used CaptureOne Pro for past 7 years and I can say it is very good.

0 upvotes
valentin_neda
By valentin_neda (May 15, 2012)

Since when the hell did editing images on a computer become dangerous?

0 upvotes
unknown member
By (unknown member) (May 20, 2012)

Good point. I guess that became an issue when Adobe decided somehow their programs needed to be deeply embedded on your system.

It's a highly overrated nasty pig of a program with tentacles everywhere into your system. That pretty much covers it.

0 upvotes
lylejk
By lylejk (May 15, 2012)

Here's my wish. I would pay $75 (not $100) for just updates to ACR every 2 years. $200 is a hefty price so my upgrade flow for the past decade (upgraded twice) has been every 3rd upgrade, but now Adobe wants you to upgrade everytime. Since I won't, I hope the full PS price drops a little by the time CS8 comes out. I mainly use GIMP but I do value some key abilities especially ACR. If Lightroom (have only participated in the very initial beta many years ago) uses ACR or better, I might try to persue this since I don't use most of the feaures in PS (and I suspect most others don't either). :)

0 upvotes
Gary Dean Mercer Clark
By Gary Dean Mercer Clark (May 15, 2012)

The CS6 trial seems to be an improvement over CS5 but I'm really not feeling the love for Adobe right now. I'm glad they are owning up to the problem and working on a fix. That is the right thing to do and it will help repair their tarnished image a bit.

2 upvotes
psn
By psn (May 15, 2012)

If I want (and I do) to move away from Adobe's image manipulation/catalog offerings, what are my options?

1 upvote
unknown member
By (unknown member) (May 20, 2012)

There is only one program that comes anywhere near to Photoshop's capabilities and that would be Paint Shop Pro.

For the vast majority of serious photographers Paint Shop Pro has all the tools you need. It is also a tiny fraction of the cost. I use Aperture and Paint Shop Pro on my Mac.

Unfortunately Paint Shop Pro has not advanced as well as it did under its original American owner and creators, JASC. Corel keeps adding silly features and disabling many that were useful and support pales in comparison to its previous owner.

Still, it is an excellent alternative to the ridiculous price of Photoshop.

0 upvotes
Michael Engelen
By Michael Engelen (May 15, 2012)

For me Adobe and its arguably great products are history. If they would at least act like Microsoft when it comes to bugs in their software, I probably would feel like paying a premium price, but if Adobe has to be "forced" by their customers to fix a security-issue, it is time to leave the boat.

2 upvotes
lylejk
By lylejk (May 15, 2012)

I can understand why a feature update should require an upgrade to a newer version of PS but not a security hole which is solely the responsibility of Adobe. Even Microsoft continues to patch XP despite not selling it commercially since Vista back in 2007 I believe. A security hole has to be patched or Adobe will have mud in their eye not that that's starting to already happen. :)

5 upvotes
pedromeyer
By pedromeyer (May 15, 2012)

Steve Jobs. already said it some time back, Adobe had become lazy in dealing with customers needs. Thus the Flash black out from all Apple portable devices.

But I would add as some others have already stated, Adobe became greedy and trying to milk the cow for all it's worth. There is nothing left of the splendor that Adobe had a decade ago.

Adobe might be better served by imitating Apple, rather than Kodak.

CS6 is bloatware at its maximum.

4 upvotes
Retne
By Retne (May 15, 2012)

I agree wholeheartedly with your first sentence , but most of the commentary I've seen agrees that the "Thus" causal link you suggest is incorrect - it was a fairly obvious business interest that led Apple to that decision (with MS jumping onboard for the same reasons), and I agree with the many commentators that Flash was good for the consumer with the potential for cheaper prices (no OS cut), and rich apps that can be developed once.

(Of course Mr Jobs couldn't just say "Hey folks, we don't want to have Flash on iOS as that would harm our app sales, but here's some technical issues we could work with Adobe on, but don't want to:...")

I do also think Adobe has got greedy though, but bloatware - you don't have to have the Master Collection, just install what you need. Not sure why it's bloatware - they have pros that use all the features and really need them.

But this lack of fixing by Adobe is shameful.

2 upvotes
PeterK70
By PeterK70 (May 16, 2012)

But what else Apple is doing differently than Adobe. Apple is the same about security as Adobe. It took them a millennium to fix the Flashback Trojan vulnerability.

But yes. They were able to fix Siri immediatelly when Siri responded to its users questions that Nokia Lumia 900 cyan is the best smartphone ever.

Comment edited 2 times, last edit 41 seconds after posting
0 upvotes
unknown member
By (unknown member) (May 20, 2012)

Retne Steve Jobs made it clear that the iPad would have struggled to run Flash properly while being stable and secure while at the same time sipping battery power. He was obviously right.

0 upvotes
unknown member
By (unknown member) (May 20, 2012)

PeterK70 while they did take long to fix that issue you have to take Apple's business and Adobe's business and compare them as it relates to customer service. There simply is no comparison. Apple easily wins overall.

I had an issue recently with Apple's Aperture and I was contacted the following morning by one of their software engineers/programmers. I'm no pro but man I certainly was treated like one.

That, and other examples, are in stark contrast to my experiences dealing with Adobe. Most of what I got were arrogant, condescending and unhelpful responses.

0 upvotes
Mark Forman
By Mark Forman (May 15, 2012)

In the past few years Adobe has become greedier and greedier than ever before.
This is a prime example of this.
They were shamed into this critical update by the possible loss through possible lawsuits.
They deserve being forced into this fix.

4 upvotes
dpalugyay
By dpalugyay (May 14, 2012)

Good to see they are doing the right thing.

0 upvotes
Vallkar
By Vallkar (May 15, 2012)

They should have done this in the first place without being clever.

0 upvotes
gargalamouth
By gargalamouth (May 14, 2012)

Ask Ivanopoulo for a quick fix.....

0 upvotes
thx1138
By thx1138 (May 14, 2012)

Adobe also has a bug in tiff files they refuse to fix, where it does not conform to the standards and can cause the colour space metadata to be lost. It's been reproduced for them and they blame everyone else. Quite pathetic seeing some people defending their actions or should I say inactions.

1 upvote
Nismo350Z
By Nismo350Z (May 14, 2012)

Using Adobe's logic, Photoshop CS6 is really a patch for Photoshop 1.0. That makes so much sense now.

1 upvote
laueddy
By laueddy (May 14, 2012)

Microsoft still provide updates for Windows XP, or our iPad 1 are still getting updates to new iOS. So, there is very little reason for Adobe not to provide a security for such an expensive software they sell.
When going from an older version to a new version, it should be about new features and functions, not patch.

5 upvotes
Vallkar
By Vallkar (May 15, 2012)

New functions can be supplied as plugins.

0 upvotes
mick232
By mick232 (May 14, 2012)

You people seem to ignore a couple of things:

1. there is more than one workaround available (don't open TIF files from untrusted sources, scan TIF file with virus scanner)

2. fixing a bug in old software is more expensive by orders of magnitude than in upcoming or current software; even if the fix is a one-liner, the software has to be re-built, re-tested, re-released. Don't underestimate the effort needed for all these steps. These processes have to be re-run for the fix whereas with software currently being developed they run anyway.

That is why any software company will assess the severity of a bug. No company will fix any bug, even if it is a security issue. That's just how it is and all your rants are not going to change it.

1 upvote
58volts
By 58volts (May 14, 2012)

Here in the UK there is a piece of legislation called the "sale of goods act" and it says goods must be fit for purpose!

If you buy a new car and it has problem with engine management system you wouldn't expect the dealer to say sorry mate you have to buy another car, would you?
It's time software companies got real and stop trying to force people to upgrade because they sold faulty goods!

9 upvotes
SevenStepsSouth
By SevenStepsSouth (May 14, 2012)

Actually all the rants *did* change things. :)

6 upvotes
Lenny L
By Lenny L (May 14, 2012)

1. Many people get infected when they're sent infected files from people they know. People whose systems were compromised.

2. It's hard to put a value on this, but the negative publicity associated with their earlier move could arguably cost the company much more than releasing a fix for it.

Intel learned the hard way with the Pentium FDIV bug that customer backlash can be strong when you do not address a bug, instead telling customers "don't worry, it won't affect you". It is bad enough that Adobe products has so many security flaws. Refusing to address one of them in their flagship product is just irresponsible and amazingly bad PR.

7 upvotes
mick232
By mick232 (May 14, 2012)

@58volts: this piece of legislation is not applicable since software is not a tangible good. Refer to:

http://www.computeractive.co.uk/ca/consumer-rights/1931491/isnt-software-covered-undere-sale-act

@SevenStepsSouth: Read my last paragraph again. I wrote: you are not going to get a fix for all bugs. That doesn't mean you can't get a fix for individual bugs and you may even achieve something by making enough noise, but I never denied that.

0 upvotes
martian1
By martian1 (May 14, 2012)

Sorry mick232,

I have read your last paragraph initially correct and just to confirm, read it again - you now have changed your original wording:
'No company will fix any bug, even if it is a security issue. That's just how it is and all your rants are not going to change it.'

Additionally, please note that CS6 is not yet available in some countries through most retailers, e.g., in my country Switzerland, therefore CS5.5 still is effectively the current version and not 'old software'.

2 upvotes
ljmac
By ljmac (May 15, 2012)

Are you serious? Adobe's software is more expensive by an order of magnitude than most other things, and you don't expect them to fix a critical security issue released on the same day as a new version? What are we paying all that money for? And given the timing, they would have known about it while CS5.5 was still the current version

1 upvote
cjyphoto
By cjyphoto (May 15, 2012)

Mick... Tool...

0 upvotes
Josh152
By Josh152 (May 15, 2012)

Exacly ljmac,

They made a deliberate decision not to fix it in CS5 so they could use it as leverage to get people to upgrade to CS6

1 upvote
sglewis
By sglewis (May 15, 2012)

Mick232 - Fixing a bug in old software??? CS6 was out about a week when the security bug was discovered. Should Adobe not support a product sold on retail shelves less than a month ago? I understand the need to stop patching software... eventually... but that's absurd!

1 upvote
Vallkar
By Vallkar (May 15, 2012)

True. If companies have made billions selling these software, I am sure they should take some responsiblity. Toyota is a good example.

1 upvote
Viggo
By Viggo (May 14, 2012)

But when will they fix the 5d3 support for Lightroom?!?! Useless.....

(I know they support the files, only they suck at converting them creating very soft, noisy files)

1 upvote
rich12
By rich12 (May 15, 2012)

Canon files always look soft. Buy another camera brand instead.

5 upvotes
unknown member
By (unknown member) (May 20, 2012)

There is no significant difference between all the top camera makers. Only Leica and Sigma stand out with images that are inherently sharper than those of other brands.

0 upvotes
thejohnnerparty
By thejohnnerparty (May 14, 2012)

A quick read on software companies - Lazy, greedy management with one goal: get it out there quick, never mind the problems. When people discover problems - let customer support deal with it. Done. Move on.

1 upvote
mick232
By mick232 (May 14, 2012)

And how is that different from any other company that sells stuff?

No company will fix a product that has been already sold unless they have to (warranty) or you pay for it.

It is very similar with software. You can get bugfixes for critical issues and if the software is not too old. You can also pay for a support contract and will get fixes much later or fixes for problems that only affect you.

1 upvote
Jimmy C
By Jimmy C (May 14, 2012)

PS CS5 came out in Sept, 2010. So, either it is too old to support or Adobe doesn't consider the problem to be critical. Imagine the uproar if MS decided to not support Windows 7, which was released to manufacturing in July, 2009. Win8 is due for release this summer, so by your reasoning MS should not be obilgated to fix problems. With Adobe and other firms cranking out releases every 18 months, they just get the initial bugs resolved then release an upgrade. Why purchase a support contract for software that has many bugs? Are users now nothing more than beta testers?

Adobe wants to force upgrades or a move to cloud to help their cash flow. Not supporting a product that is less than 2 years old and suggesting a critical fix could be resolved by upgrading is really poor customer service. What about the user who purchased CS5x 6 months ago? Something is terribly wrong with this company.

3 upvotes
Luke Kaven
By Luke Kaven (May 14, 2012)

It's like a protection racket. Adobe says: "Hey, psst, lots of dangerous characters out there. Nice daughter you have there. Hate to see anything happen to her. Might get your identity stolen. So just give us $500 and Reggie and Ronnie will take care of it."

Does anyone wonder anymore why some of us don't like this company and its pleistocene software?

10 upvotes
PhotoArtKC
By PhotoArtKC (May 14, 2012)

"Hey guys, we know about the bug that could allow people to access your computer. We call the fix CS6, but it will likely have bugs that will need addressing too, those patches will be available in CS7."

Gotta love software companies that completely drop all support for still widely used versions of software when the "upgrade" comes out. More so when they know that many people who normally upgrade don't see a point in doing so this time.

0 upvotes
tigger
By tigger (May 14, 2012)

I think it unbelievable that they even considered to only patch that in vulnerability with CS6.

3 upvotes
Mostly Lurking
By Mostly Lurking (May 14, 2012)

USD $199.00 for an upgrade from CS5 to CS6 that really provides little is a bit pricey for me. I might as well wait for CS.X when I'll have to pay $600 for the whole thing and all the updates in-between. Then it may be worth the price. That's what I did when I had CS---wait for it to be worth-while even though I had to pay the whole CS5 package price.

Comment edited 40 seconds after posting
1 upvote
Gothmoth
By Gothmoth (May 14, 2012)

well a few hundred euro for an security fix is not to much to ask, is it?

adobe as a screw loose anyway.... look at the price differnece between the USA and europe. and keep the $ exchange in mind.

and this company we shall trust with their CLOUD apps ... LOL.

3 upvotes
3DSimmon
By 3DSimmon (May 15, 2012)

The price difference is probably due to the tax/toll fees in the EU

0 upvotes
gotham00
By gotham00 (May 16, 2012)

Arrrgh! Here in Aus we get smashed with Adobe rip off pricing!!!! Even though we are on parity with US, even our pollies want Adobe to explain their pricing structure here, compared to the rest of the world and we don’t even tax software in this country!!!!!

Not happy Adobe

1 upvote
unknown member
By (unknown member) (May 20, 2012)

Pricing is based on what a particular market is willing to pay. We are not talking about a life sustaining product. If it is too much in your country then don't buy it.

0 upvotes
tkbslc
By tkbslc (May 14, 2012)

It's getting a lot harder to pull one over on your customers these days.

13 upvotes
richardginn
By richardginn (May 14, 2012)

hahahahaaaaa I can't believe it took them so long to respond.

0 upvotes
micahmedia
By micahmedia (May 14, 2012)

I can. They've been very busy working on raw support for the SD-1 and XPro1.

0 upvotes
Gary Dean Mercer Clark
By Gary Dean Mercer Clark (May 15, 2012)

LOL---SD1 support from Adobe? They didn't support the SD15. While I like lightroom---I'm not feeling the love for Adobe......

0 upvotes
Total comments: 55