Adobe puts a price tag on security updates for Photoshop and others
Users who want to protect their Photoshop, Illustrator or Flash Professional installations against critical security holes must now dig deep into their pockets. It costs £190.80 ($199) to upgrade from a previous version to Photoshop CS6 alone, and this update is recommended by Adobe because it fixes several critical security holes. The other upgrades, for Illustrator and Flash Professional, which close security holes are also exclusively available to paying customers. The only free update Adobe has released on its May patch day is one for Shockwave.
Those who don't want to purchase these commercial upgrades – for example, because they don't need the new Photoshop features – are on their own. Adobe only makes the general recommendation that its customers should "follow security best practices and exercise caution when opening files from unknown or untrusted sources" as the holes do represent substantial threats.
Adobe Photoshop contains a buffer overflow vulnerability in its TIFF features that has already been the target of a public proof-of-concept exploit, as well as another unspecified security problem that allows attackers to secretly infect systems simply by getting users to open a specially crafted file. For Illustrator, Adobe has listed a total of 5 security holes; for Flash Professional, there is one critical issue. In all cases, CS5.5 and earlier for Windows and Mac OS X are vulnerable.
An update to Adobe's Shockwave Player, version 220.127.116.115, has been released fixing 5 security holes that exist in its predecessor. Because of reports of active attacks, Adobe rolled out the latest version of Flash on Friday.