Adobe backs down, will release patches for critical holes

Adobe has announced – through changes to the security advisories it issued earlier this week – that it is developing patches for the critical holes in the CS5.x versions of Adobe Photoshop, Illustrator and Flash Professional, after previously advising users that they needed to buy the just-released CS6 versions of the applications.

The revised advisories retain the suggestion that users should upgrade but also now state, for example, "We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available". Adobe has given no schedule for the availability of patches.

In the original 8 May advisories, the company had said only that users of these products would need to purchase the upgrade from the CS5 and CS5.5 versions to the, just shipping on 7 May, CS6 versions to close the critical holes they were detailing; a move that was seen as effectively charging for security fixes.

Adobe responded to that by saying that it did not believe that Photoshop was a target for attackers and that this was the reason why it did not create fixes for the versions that are two years and one year old, even though they are still on many stores' shelves and in use around the world. Adobe then quietly revised the Photoshop advisory on 10 May, to say that the vulnerabilities it documented didn't affect the most recent, CS5.5 version, only the older CS5 version and earlier versions. The company did not explain why it had alerted users of a critical hole, which could only be fixed with a paid upgrade, in software which did not have that critical hole in it.

Update - Adobe has pointed out that there was not a CS5.5 update of Photoshop; when Creative Suite 5.5 was shipped last year, Photoshop was the one product that did not receive a version number update. Photoshop 5.0 has in fact been the current version up until the release of Photoshop CS6.

(djwm)