• United States



That was stupid, Adobe

May 14, 20123 mins
Application SecurityData and Information Security

Adobe has decided to issue free security patches for eight critical vulnerabilities in its Creative Suite, which includes widely-used programs like Photoshop and Illustrator. This, after the company originally told customers they would have to pay $375 for a full suite upgrade in order to get the fixes. I’m glad Adobe had a change of heart, but I’m still scratching my head over where they got off trying to make users pay to begin with.

Adobe wasn’t just acting stupidly in this case — it was ripping off customers. That is much worse than being stupid.

Let’s review. Friday, my Computerworld colleague, Gregg Keizer, wrote:

Adobe has told users of its Creative Suite, which includes the company’s premier products like Photoshop and Illustrator, to spend $375 to upgrade if they want patches for eight critical vulnerabilities. Adobe will not be fixing the flaws in older editions of Photoshop, Illustrator and Flash Professional — all components of Creative Suite — even though it has rated the bugs as critical, and addressed the vulnerabilities in Creative Suite 6 (CS6), which launched late last month. On Tuesday, Adobe issued security alerts for eight vulnerabilities in Photoshop 5 and earlier, and Illustrator and Flash Professional 5.5 and earlier. Of the eight bugs, one is in Flash Professional, two are in Photoshop and five in Illustrator.

He wrote of customers and security experts being dumbfounded that Adobe would dare to force people to spend money on an upgrade in order to get critical protection.

“There’s no excuse for this,” ranted someone identified as “Smerity” on a discussion board at Hacker News. “Adobe Photoshop CS5.5 has a critical security vulnerability, but the remedy is forced PAID upgrade to CS6? Genius,” said “Kontra” on Twitter Thursday. Security experts were astounded that Adobe would stoop to such tactics. “This is totally unbecoming of them,” said Andrew Storms, director of security operations at nCircle Security, in an interview today via instant messaging. “For all that they have been doing to revise their face of security, this just brings them right back into the dunce cap seat.”

A day later, Adobe reversed itself. Jackie Dove, my colleague at Macworld, explained in another article: “In explaining its previous position earlier in the day, the Adobe spokesperson had said that since the vulnerabilities had been resolved with the new CS6 version, ‘no dot release was scheduled or released for Adobe Photoshop CS5. In looking at all aspects, including the vulnerabilities themselves and the threat landscape, the team did not believe the real-world risk to customers warranted an out-of-band release for the CS5 version to resolve these issues.'”

The team didn’t see a real-world risk to customers big enough for an out-of-band release? That’s madness. If you issue a critical security alert, you’re telling people the real-world threat is pretty big.

Was Adobe motivated by greed? I’ll give them the benefit of the doubt and say probably not. Chances are the team made a decision based in part on company policies and simply didn’t stop to consider how this would make customers feel.

Bottom line: When someone finds critical security holes in your products, you give customers a free security fix as quickly as you can. When we shell out a lot of money for your products, we’re trusting you to keep us protected. If you fail, it’s your problem, not ours. Pure and simple.

That was stupid, Adobe. Please don’t do it again.