Slashdot Mirror
Adobe Introduces the Paid Security Fix
Nimey writes "Adobe has posted a security bulletin for Photoshop CS5 for Windows and OSX. It seems there is a critical security hole that will allow attackers to execute arbitrary code in the context of the user running the affected application. Adobe's fix? You need to pay to upgrade to Photoshop CS6. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources."
Almighty dollar wins again!
If it's broken, get them to buy something to fix it.
Well that's one business model to get people to upgrade/purchase your software.. I'm sure they were thinking " how do we get people to upgrade to a new version if we haven't innovated the product ? wait let's tell them about the security hole and tell them to upgrade"
It isn't in the league of PS, although it tends to do almost as much.
Adobe already got brickbatted about security... are they just trying to get clubbered again? Only difference is that not as many people will get nailed by Photoshop holes as opposed to a hole in Flash or Acrobat, mainly because spending $2000 or so for the CS suite is out of the price range of all but the dedicated artists.
I can see it now, all software vendors are going to introduce security flaws or wait until one is discovered to release the next paid upgrade release.
I think a class action suit is in order for all the holders of the older version. It their software causes a security hole and if one person gets hammered by it then like the car companies having to recall and fix cars, software vendors will have to do likewise.
Are you listening Adobe.
If this was a years-old version, I'd understand, but CS5 was the latest version until literally days ago!
This is akin to buying a 2010 Chevy (under warranty), then finding out that the brakes catch on fire under certain circumstances, and the company's suggestion: buy a 2012.
Be a shame if something bad happened to it...
Wow... Actually sounds like our medical system. And just about every other "system" we have. Cars, houses, etc...
Wow, now that I think about it, that sucks.
Blech.
"Helping to keep you two steps ahead of the Thought Police!"
This is pretty much standard for stuff that's out of support. Try to get a security patch for Win98. That's not to say that I think Adobe is right to say CS5 is at that level, but this is hardly the first time that the solution to a bug has been 'buy the new version'.
Since I can't mod Adobe "-1 flamebait" I'll just say it again. Fuck you, Adobe! I'd like to go on record as stating that you should all be ashamed of yourselves.
with the new features in the 'upgrade'.
Interesting enough, the CS collections aren't listed on Adobe's products and Enterprise Technical Support Lifecycle Policy.
Intuit.
Adobe doubles its lobbying budget, griping pirate rates have doubled for their newest software Photoshop CS6.
When you have nothing to say, blame Microsoft.
Seriously. This is why people download pirated versions. Even if you have a paid version of something, the damned thing "phones home" every time you launch it, the bozos are so paranoid. You can disable this in /etc/hosts, but it's still indicative of greedy grubbing stupidity. If they charged a third of the price, they'd sell 3 times more copies. Look what Apple did with FCP -- they made it affordable (yes, I've read the complaints, but it works fine).
Doh.
people will know why they paid for an Adobe update.
My PAID Acrobat 8 has licensing issues. Once in a while, it complains the license is not valid and I cannot generate a pdf. Then it works again on the next day.
I called Adobe support twice. Their solution is to upgrade because they say they don't support it anymore.
I argued it is not a technical issue but a license issue. They don't care.
Nice.
"Just released, and coming in at 370 MB in size, the Mac OS X 10.7.4 update includes general OS fixes, and addresses more than 30 security vulnerabilities. But aside from typical security fixes, Apple has made an interesting move in an effort to protect users. Through this latest software update, Safari 5.1.7 will now automatically disable older â" and typically more vulnerable â" versions of the Adobe Flash player. While many software vendors would prefer OS makers to keep their hands off their software, the move appears to be welcomed by Adobe, which has constantly battled vulnerabilities in its widely installed Flash Player."
Maybe Apple should disable Photoshop CS5 as well?
[Fuck Beta]
o0t!
When you buy a piece a software (or "license it", if you will), you buy it as is, defects and all - typically with no warranty or merchantability for any particular purpose. From that standpoint, consider yourself lucky if you get someone to provide an update at no charge. Besides which - how long is a manufacturer supposed to be "on the hook" for supporting an old version? And a "0.01" version difference IS an old version. Frankly, I'm amazed at companies continuing to provide updates for older stuff. On the other hand - it is GOOD BUSINESS to do so, to at least some degree. What better way to bring on a unnecessary (even if meritless) lawsuit, than to get popped for not fixing known security issues, even in old software. Given the general uselessness of juries, you're just ripe for trouble. But failing to do good business (generally) isn't "wrong" from some kind of moral perspective....it is (often) just not very smart.
>Adobe's fix? You need to pirate the upgrade to Photoshop CS6.
Fixed.
There is an old story I will retell that should serve as a warning for all customers.
Once upon a time, there was a transport company employee charged with replacing a large segment of the companies trucks made by Volvo. The employee, being a bright individual called up a sales clerk from Ford that had been trying to get a foot in the door and asked him to send three Ford trucks for testing. The day the Volvo sales clerk came to make discuss the purchase of new Volvo trucks, these three Ford trucks happened to be parked on the lot. When the trucking company employee saw the Volvo sales clerk glance at them, he said "Yeah, the boss has been looking them, he seems to think they are an alternative worth looking into. But that is for later, lets discuss the deal you were going to offer us".
In another company far far away, an CTO who loved IBM hardware knew it was time to discuss the purchase of new hardware, so he ordered an underling to set up a trial project with HP servers, just to see what the competition was doing. When the IBM man came by he of course showed him the workfloor including the corner where the junior was working on those shiny new HP servers, "Got to give the kids their toys to play with " the CTO told the IBM sales clerk. "Btw, what was the price you were going to ask for again".
But in the dark and damp lands of Mordor, a very different tale was playing out. There the CTO invited the MS and Abobe sales clerk and proudly showed them how his entire business depended completely on their software product and how not only did they need the software to work flawlessly or they would be bankrupt in seconds, all the staff could only use the latest software and their customers demanded that they use the latest software. "BTW", The CTO asked, "what was that deal you wanted me to sign in my own blood again while bending over"? And there was much rejoicing among the Tribes of MS and Abobe, for they knew exactly who was calling the shots. One lockin to rule them all and in Eula bind them. For the users of MS and Abobe where greedy and feeble minded and could not break free of the spell.
---
Really, this is nothing new. In the land of NAS and control systems, this is par de course. You let a supplier control you, control you they will. Want to break free? Good luck, your company needs the new version, license or risk being unable to produce so you hand them the cash and lock yourself in just a little bit more.
Not a SINGLE Photoshop user will invest in his own freedom by making sure there are alternative methods to do his production. They will grind their teeth buy the latest version and invest yet more to make sure their production is entirely locked into Adobe clutches.
Cue countless protests about how there are no alternatives... no, there are none because any who dares to try is ridiculed for not instantly producting a 100% compatible product for free because freedom should be free of effort and cost.
You gave Adobe the control, enjoy it.
It is not as if you are alone. Governments often dictate that procurement must be regulated, meaning that once a procurement contract has been done, all interest in customer satisfaction goes out the window because the contract is fixed, can't be ended and renewal depends solely on the price offered (not charged) so fuck you peon.
I seen it to often in other industries, entire production line depended on one type of machine, fired your own maintenance team and anyone who could switch them out with other hardware. Goes, the "extra" charges sure went up a lot didn't they? Suddenly maintenance must be done by their certified team, at weekend charges.
Lockin, avoid it or pay the price.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
When I was a teenager, I knew that I wanted to be a software developer. I thought one of the coolest jobs would be to work at Adobe. How amazing would it be to add improvements to software used by famous graphic artists and video studios all over the world?
Now, I'm glad that I never even attempted to work there. They've become known for security holes all over the place in Flash and Acrobat, glacial pace of development, one poor design decision after the other, and no shortage of performance issues. It really is a shame how much they've stagnated, and in some cases regressed.
They're reporting the vulnerability because it's their policy, not because it's actively being exploited. The install base of Photoshop, like Gimp and thousands of other productivity applications, doesn't warrant an attacker's effort. There are countless of vulnerabilities in other applications like this that go unreported and unexploited.
If they didn't report it, nobody would care.
It's common practice to stop supporting versions that are two or more out of date. They just released CS6 so this would be perfectly normal. They aren't forcing an update they are simply saying they can't continue to support products that are out of date beyond a certain point.
Fuck Adobe.
Apple has been doing this for years. Most of the users in their support forums even seem to think that there is nothing wrong with it.
I find it a terrifying precedent.
CS5 just passed its 2 year mark
AccountKiller
I made the switch to the Gimp years ago. I got tired of pirating Photoshop. Then, when I switched to Linux, Photoshop doesn't run on Linux. Lo and behold, Gimp is an easy install, and I learned that. Now that I've switched to Mac (for the desktop), I still use Gimp. Ooh, and there's a new version out, and the development version handles high-bit images!
gimp.org
I do stuff Zhrodague
or maybe it was the last week of February. That's a mighty short support cycle for an expensive product. Perhaps a class action would be nice.
(note: I did not pay retail, but having essentially a 3 month supported period on a major software suite is pretty crappy)
Is it just my observation, or are there way too many stupid people in the world?
Aren't ya glad you switched to gimp like a decade ago? I sure am!
Adobe's fix? You need to pay to upgrade [from CS5] to Photoshop CS6.
Ah yes, I would be delighted to buy more software from you, since it worked out so well last time around.
This is especially egregious since according to the researcher's announcement, Adobe has been sitting on this bug since last September. Users of CS5 should demand a patch.
Thoughts on a way to fix this sort of thing generally:
The government should define a minimum support window for software, say 5 years or so. From the point where you purchase a software product at retail (not resold), you are entitled to support for critical security flaws (ie: exploitable risks which you cannot mitigate with normal usage) during that period. At the vendor's option, that support can be either free software patches (with no degradation of functionality or additional licensing requirements/terms), full version upgrades (under the same conditions), or the release of the complete source for the product into the public domain (BSD-style). The last option would be the legally-mandated requirement if the vendor was unwilling or unable to supply one of the first alternatives. Companies could, of course, adjust pricing of their software as appropriate to comply with the mandate.
It's not a very clean solution, but it would do wonders to curtail the "forced paid upgrade" trend in software. Plus, companies with "good" support policies in place (both large and small) would benefit.
... Adobe has 100 words for "won't fix it"
CS6 just launched and I mean JUST. It shipped on May 7th. So this isn't a case of an old version where Adobe is saying "Look guys, we are discontinuing support, have to buy the new one if you want it." The "old" version is only "old" by 3 days now.
Good God man, CS 5 has been around for two years. Find one example of a similar security flaw that was discovered two years after the release of a product, that Apple did not offer a patch for, ever.
Adobe is charting new waters.
From the bulletin:
Adobe released a security upgrade for Adobe Photoshop CS5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.
Adobe has released Adobe Photoshop CS6, which addresses these vulnerabilities. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.
Sure sounds like CS5 had upgrade released that addressed these vulnerabilities. I think it also says that released version of CS6 is not vulnerable. Probably marketing people got involved to try and write this to encourage upgrades, which may have backfired a bit.
. 62,400 repetitions make one truth -- Brave New World, Aldous Huxley
"For desert, we have an ice cream peanut butter pie, blueberry cake, or the antidote for the poison you ate earlier."
Gently reply
Adobe has crossed over to the dark side. Now they are officially Evil.
I didn't know Adobe is suffering that much they can't afford free security fixes anymore.
They moved to software as a service model in the last year.
You can now pay your adobe fees monthly (couple hundred/month) -- if you want the yearly plan, you buy all new versions at a discount.
If you don't want to upgrade right now, that's fine...
When you do, you can either pay full price (~30-50% more), OR you can pay for each upgrade between your current version and the current.
They shut down email and online support without paid contracts ON TOP of the SOFTWARE cost. (i.e. when you "buy" their software, it gives you a license to install it and they will give you help with installing it. That's it. Any bug fixes you want addressed?: you pay extra.
They also decided to merge the mac and windows support forums -- because their needs are the same (that's working out real well, ha).
And closed most of their product forums -- moving them to professional "customer handler" ("Get satisfaction")...
Yeah.. they've been pretty evil for some time now.
I've had to call and beg for 'reactivation' on windows 7 probably near a dozen times now -- because whenever win7 would hiccup, adobe's license mechanism would try to issue another license as it would think you were a different computer. Think of the MS-HW detection algorithm, but with the number of allowed changes in HW = zero or one (depending on the part).
It wouldn't be so bad if they were actually innovating, but they generated a V5.5 in between V5 and V6 just to create more revenue -- and force customers to pay double upgrade costs to get to V6 -- and it doesn't have much in the way of new features either.
Their biggest nightmare -- people weren't upgrading because their engineers stopped innovating as quickly, so people were using the same SW for 3-5 years... while adobe wants payments every year.
Tis is a perfect example why people steal software
As I said before (received with the standard mockery and excuses), it's hard to empathize with Windows or Adobe users. You know you're buying a paid service. You know they're in it for the money. They aren't your friends or your Mommy or your guardian angel. You give them money, they give you a license to use their product for a while, with premium services at extra cost. It's all in the EULA. You did read it, didn't you?
That's news.
Vote monkeys into Congress. They are cheaper and more trustworthy.
.. or do the first paragraphs of the bulletin's Summary and Details say that a security upgrade has been released for CS5?
Make sure you understand what they actually use Adobe products for, what the workflow is. Don't just glibly say "Oh GIMP will work!" because you heard they are both image editors.
See you discover that the problem is sometimes there really aren't options. Pre-press products just seem to be one of those cases. Adobe seems to be it for something, particularly an end-to-end solution.
Also please note "Just write it yourself," isn't a realistic suggestion nor is "Well just spend more time and effort to work around problems with a hacked together situation." Since the whole talk here is about money unless you can show how that saves money (and remember staff time is the biggest cost you have) then unless it does, it isn't a realistic suggestion.
"... exercise caution when opening files from unknown or untrusted sources."
Untrusted sources, you mean like Adobe?
that's adobe's right, ability, etc. how long should they have to maintain an old version? i have no qualms with adobe employing this policy. it's also my right, ability, etc. to say 'fsck adobe' also and stop buying their product.
our society is so fscked up because we want to illegalize everything we don't like. what a bunch of lazy-ass, pussified, whiny-babies we are.
Are you graphic artists really that dense or do you love me so much you want to make sure everybody understands how valid my points are by proving me right?
Maybe you just don't understand the rather simplistic story of how to deal with sales people?
This is not about GIMP or anything else, it is about how YOU allowed YOUR means of an income to come to depend on a single supplier. Others have given other examples. Would you build your loading dock to allow only one model of car? Would you pack your packages so only one package company can deal with them? Would you reshape your body so you can only fit in one airliners seats? Would you change your digestive trackt so that you can only digest McD hamburgers?
No?
It is not up to me or anyone else to provide you alternatives. When you are that depended on a product, you ROLL YOUR OWN. Pixar does, why do you think they support GIMP anyway? Because they don't want THEIR production line to depend on someone elses. THAT is why companies support Opensource software, why Vavle is looking at Linux despite its tiny marketshare. Because once you are open, someone else doesn't control you.
Back in the days of DOS, there was Blue Isle and the Battle Island series of games. Then MS announced Windows 95 and Blue Isle announced a Windows 95 only game. And then Windows 95 got delayed and the game had to be held back because it could not launch without the OS. Blue Isle had tied themselves to another companies products and so became tied to another companies goals.
iD did not do the same, they launched Quake with both DOS and Windows support. Guess which company did better with there game?
Oh okay, it is not as simple an example as the car example. Car examples are clean and simple but since you are not getting them maybe a game one will strike closer to your heart.
Graphic artists have locked themselves into a company that has shown multiple times to not have the same goals. They can either SHUT THE FUCK up about it OR do something about it. Moan about it while keeping the lockin going on, is just going to result in ridicule.
Ready? Okay, HAHA!
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I don't mind paying for a new version for an increased feature set. I find it reprehensible that they expect you to pay to fix a security flaw. How about this, Adobe: All the people who have CS5 and want the security flaw fixed can pay to upgrade to CS6. After you refund the cost of the faulty CS5 you sold them. No, no...no protesting. You can't have your cake and eat it too.
JUG
Just Use Gimp
aaaaaaa
Well?
that they offered customers Photoshop CS5.1 for half the price a month ago.
The software industry is allowed to sell something that doesn't work without any obligation to fix errors.
Cisco has been doing this since day 1.
Don't companies stop supporting older software all the time? Isn't this like Windows saying "IE6 is no longer supported so we won't patch it, you need to upgrade" (only in this case it's paid software, which I'm sure this happens with all the time too). For example do you expect Sony to continue to patch firmware for the PS3 even once we're onto the PS5 or whatever? Even if that firmware has massive security holes they won't do it, because they won't be making money off of it anymore.
And this seems to be a disincentive to "upgrade".
I think you're just being obtuse for some sort of personal pleasue but I'll bite anyway. Ten seconds to google MS's official list of known problems for win7 using the 'site:' switch. You can redefine that list as 'defective software' and argue about it if that's how you get your jollies, but the rest of the software industry will keep on being grown-ups about it and acknowledge such things as real world limitations to be worked around in the present and overcome at some undefined point in the future. Engineering and software are "best effort" endevours, you can go to jail for failing to make a "best effort" which is what the term "due dilligence" is all about.
Obligatory car analogy; A road is not defective just because you have to patch a few potholes after it's construction.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Adobe, shark ... shark, Adobe. Adobe, here's your jetski. Good luck!
A demand that software be "fit for purpose" with regulations etc to enforce it.
I can only hope can't I? Me I've had enough of the pap that's being passed of as great software, when a jenga stack shows more stability and security than most.
Apple, Microsoft, Adobe, Oracle, blah blah etc. They all dance the dance of new versions solving everything when there are too many problems dating back to the beginning of time that have never and probably will never be addressed, without the threat of penalties hanging over them.
Every time I see "OSX" instead of "OS X" (or better: "Mac OS X"), I know that the author is one of those people that pronounces it as "Oh Ess Ex" instead of "Oh Ess Ten." It is a Roman numeral. That's why all versions of OS X start with 10, as in 10.7.3. This is much like how "MAC" is Media Access Control and not equivalent to "Mac."
It bugs me in a similar fashion to the they're/their/there and it's/its ordeals.
Adobe is saying "go ahead and just pirate the next version."
Depend on a Commerical Software Supplier and they will use their strong position to stick a rusty pipe up your anus. Then they will offer you a slightly less rusty pipe for the next fuck.
With Open Source you can at least hire a competent guy to fix all these security problems and review the code. Users have to realize that there are other ways of procuring software (i.e. Open Source + hiring competent developers to add missing stuff), or this kind of shit will go on.
Adobe is making very, very good profits (relative to revenue). They are clearly Greedy Bastards who abuse their position of power. Other companies manage to deliver much better software, consistently. And they fix security issues more or less timely.
Open Source projects manage to create (typically) the best software quality, and that is with developers who are either unpaid or work for some corporation which donates the code back to a project.
You argument is only theoretically correct. It deflects from the fact that Adove a worshipping their "bottom line" while giving the middle finger to all their customers. This kind of behaviour might be OK for the Moldavian Mafia, but is an embarassment for an American company.
The pirate bay introduces the free security fix.
"A road is not defective just because you have to patch a few potholes after it's construction."
In my country that IS a defective road. But maybe not in America, I don't know how low the quality of workmanship has come down overthere. I just assume your analogies suck.
Adobe released that product about one year ago. Now they don't want to provide a security patch. How much do they pay you for being a shill ??
Class action lawsuite time.
What makes anyone think that the security bugs in CS6 won't be just as bad as the bugs in CS5.
Norton did the same thing in 2004 with the September/October virus attack and they refused to patch the 2004 version saying the new version would resolve the issue forcing you to purchase the new version of software. As result I moved ALL and I do mean ALL of my clients off of Norton products totally and switched them to another Anti Virus Provider. As well I sent them all of their product and books and material to them and quit providing service for them, PERIOD. This WILL CONTINUE to happen until someone checks them by either a fierce lawsuit or by discontinuing the use of their product. You know kinda like when BOA started to charge the extra 5 bucks and the people outraged over it and they backed down, and like Go Daddy that lost over 100,000 accounts in one day over the SOPA support. IF WE BAND TOGETHER WE CAN beat them down on this.
Adobe the most insecure software on the planet, with a very long history of critical vulnerabilities wants you to pay for more of the same. As they nerf their own software capabilities to provide "testimony" they are becoming more secure, you pay for less and you know in another week there will be tons of more major security holes in version 6 products. They do not even have the decencies to let you know right away but wait months. Spend your money for flashy color images you frgn moths.
Just reading this now, a few days after the original article - but it looks as if Adobe's Security Bulletin for this issue (linked at top in article summary) was updated on May 11 to indicate that they will indeed release a patch for CS5.x?
"Adobe Photoshop CS6 addresses these vulnerabilities. We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available. "
If so, that's awesome that outrage & public pressure said, "This is not reasonable, release a fix for the previous version, which even a week ago is the version people would have bought."
Of course, not a soul will see this post.... :-(