Slashdot Mirror
Adobe Introduces the Paid Security Fix
Nimey writes "Adobe has posted a security bulletin for Photoshop CS5 for Windows and OSX. It seems there is a critical security hole that will allow attackers to execute arbitrary code in the context of the user running the affected application. Adobe's fix? You need to pay to upgrade to Photoshop CS6. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources."
I can see it now, all software vendors are going to introduce security flaws or wait until one is discovered to release the next paid upgrade release.
I think a class action suit is in order for all the holders of the older version. It their software causes a security hole and if one person gets hammered by it then like the car companies having to recall and fix cars, software vendors will have to do likewise.
Are you listening Adobe.
If this was a years-old version, I'd understand, but CS5 was the latest version until literally days ago!
This is akin to buying a 2010 Chevy (under warranty), then finding out that the brakes catch on fire under certain circumstances, and the company's suggestion: buy a 2012.
Sorry but Microsoft does the best at offering security fixes at no cost. I can't think of another company that does it better than Microsoft.
Since I can't mod Adobe "-1 flamebait" I'll just say it again. Fuck you, Adobe! I'd like to go on record as stating that you should all be ashamed of yourselves.
Interesting enough, the CS collections aren't listed on Adobe's products and Enterprise Technical Support Lifecycle Policy.
When you have nothing to say, blame Microsoft.
Seriously. This is why people download pirated versions. Even if you have a paid version of something, the damned thing "phones home" every time you launch it, the bozos are so paranoid. You can disable this in /etc/hosts, but it's still indicative of greedy grubbing stupidity. If they charged a third of the price, they'd sell 3 times more copies. Look what Apple did with FCP -- they made it affordable (yes, I've read the complaints, but it works fine).
Doh.
"Just released, and coming in at 370 MB in size, the Mac OS X 10.7.4 update includes general OS fixes, and addresses more than 30 security vulnerabilities. But aside from typical security fixes, Apple has made an interesting move in an effort to protect users. Through this latest software update, Safari 5.1.7 will now automatically disable older â" and typically more vulnerable â" versions of the Adobe Flash player. While many software vendors would prefer OS makers to keep their hands off their software, the move appears to be welcomed by Adobe, which has constantly battled vulnerabilities in its widely installed Flash Player."
Maybe Apple should disable Photoshop CS5 as well?
[Fuck Beta]
o0t!
And everyone who downloaded it illegally will just download CS6 in response. Oh, and half the people who paid for CS5 will probably do the same thing. Great move, Adobe.
CS5 was released only 24 months ago, whereas Win98 was EOL'd when it was a little over 8 years old. Say what you will about Microsoft, but they look pretty good in that particular comparison.
You couldn't be more wrong. Nobody provides for longer support than Microsoft.
I don't respond to AC's.
Three orders of magnitude is very large in real life.
Windows 7 Ultimate: $200
Photoshop CS6: $700
Oh yeah, Microsoft is so much worse.
Sure, blame it on the Eskimos - as if they don't suffer enough...
There is an old story I will retell that should serve as a warning for all customers.
Once upon a time, there was a transport company employee charged with replacing a large segment of the companies trucks made by Volvo. The employee, being a bright individual called up a sales clerk from Ford that had been trying to get a foot in the door and asked him to send three Ford trucks for testing. The day the Volvo sales clerk came to make discuss the purchase of new Volvo trucks, these three Ford trucks happened to be parked on the lot. When the trucking company employee saw the Volvo sales clerk glance at them, he said "Yeah, the boss has been looking them, he seems to think they are an alternative worth looking into. But that is for later, lets discuss the deal you were going to offer us".
In another company far far away, an CTO who loved IBM hardware knew it was time to discuss the purchase of new hardware, so he ordered an underling to set up a trial project with HP servers, just to see what the competition was doing. When the IBM man came by he of course showed him the workfloor including the corner where the junior was working on those shiny new HP servers, "Got to give the kids their toys to play with " the CTO told the IBM sales clerk. "Btw, what was the price you were going to ask for again".
But in the dark and damp lands of Mordor, a very different tale was playing out. There the CTO invited the MS and Abobe sales clerk and proudly showed them how his entire business depended completely on their software product and how not only did they need the software to work flawlessly or they would be bankrupt in seconds, all the staff could only use the latest software and their customers demanded that they use the latest software. "BTW", The CTO asked, "what was that deal you wanted me to sign in my own blood again while bending over"? And there was much rejoicing among the Tribes of MS and Abobe, for they knew exactly who was calling the shots. One lockin to rule them all and in Eula bind them. For the users of MS and Abobe where greedy and feeble minded and could not break free of the spell.
---
Really, this is nothing new. In the land of NAS and control systems, this is par de course. You let a supplier control you, control you they will. Want to break free? Good luck, your company needs the new version, license or risk being unable to produce so you hand them the cash and lock yourself in just a little bit more.
Not a SINGLE Photoshop user will invest in his own freedom by making sure there are alternative methods to do his production. They will grind their teeth buy the latest version and invest yet more to make sure their production is entirely locked into Adobe clutches.
Cue countless protests about how there are no alternatives... no, there are none because any who dares to try is ridiculed for not instantly producting a 100% compatible product for free because freedom should be free of effort and cost.
You gave Adobe the control, enjoy it.
It is not as if you are alone. Governments often dictate that procurement must be regulated, meaning that once a procurement contract has been done, all interest in customer satisfaction goes out the window because the contract is fixed, can't be ended and renewal depends solely on the price offered (not charged) so fuck you peon.
I seen it to often in other industries, entire production line depended on one type of machine, fired your own maintenance team and anyone who could switch them out with other hardware. Goes, the "extra" charges sure went up a lot didn't they? Suddenly maintenance must be done by their certified team, at weekend charges.
Lockin, avoid it or pay the price.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
This is not only not new, but the exact same thing happened for CS4 -> CS5. I still use CS4, because I spent so much time waiting for CS5, which kept missing its release dates, that I bought CS4 instead. Then they wanted me, TWO MONTHS LATER, to shell out another $400 for what amounted to a security/bug fix, as I didn't need any of the new features included in CS5, just the bugs fixed -- and they weren't willing to fix the bugs.
At least at this point, all the attacks are targeting CS5, so CS4 isn't getting any worse than it already was....
I'm starting to think I should try migrating to another package again... anyone know of decent (yes, decent) equivalents for Photoshop, Distiller, InDesign and Illustrator? GIMP takes care of many of the Photoshop issues, but Inkscape isn't there yet, Ghostscript has the wrong feature set for me (and I don't have the time to write my own scripts to fix that), and nothing else I've found is integrating these other apps into one workflow package the way InDesign does, nor will they read InDesign templates or publish to industry workflows with proper color and bleed profiles.
I'm sorry, but even "Non-Genuine" copies of Windows still get security fixes. There is no comparison here.
Windows: Pirate our software, we'll still give you security fixes (although we might put a watermark asking you to stop pirating it)
Adobe: Buy our software, but you only get security fixes if you give us even more money.
Hell, MS gives security fixes even to XP until 2014 (13 years after its release). CS5 is less than 2 years old.
AccountKiller
More importantly, if you bought CS5 for $2000 just three months ago, you have to pay to upgrade. It's like your iPhone 4 warranty running out when the 4s was released, even if you just purchased a v4 a couple weeks before hand.
Is it just my observation, or are there way too many stupid people in the world?
If it's broken, get them to buy something to fix it.
Oh come on, this 'oh Microsoft is just as bad' is the biggest cop-out. In this case it's just a blatant lie, CS5 was released early 2010 and this announcement means they've discontinued support for it, Windows XP was released in 2001 and is still supported now and will be until mid-2014.
I made the switch to the Gimp years ago. I got tired of pirating Photoshop. Then, when I switched to Linux, Photoshop doesn't run on Linux. Lo and behold, Gimp is an easy install, and I learned that. Now that I've switched to Mac (for the desktop), I still use Gimp. Ooh, and there's a new version out, and the development version handles high-bit images!
gimp.org
I do stuff Zhrodague
Actually, they now have a $50/month subscription service that allows install on 2 computers (non-simultaeneous use).
The $600/year comes to 2-3 times as much as keeping current ($300 year for every upgrade since CS3, or about $200 year to go from 3-6), but does not have the $1800 upfront cost, meaning for new purchasers are actually ahead for about 4-6 years. An upgrade from 5 -> 6 is $725, so it's 2 years before it's more expensive to use the subscription than purchasing the upgrade (the subscription comes with cloudiness, and the full master-collection, but I'm using Design and Web Premium prices).
I the the relatively low start-up cost ($50) of the subscription, is going to seriously cut-into piracy, and make them A LOT of money.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Adobe's fix? You need to pay to upgrade [from CS5] to Photoshop CS6.
Ah yes, I would be delighted to buy more software from you, since it worked out so well last time around.
This is especially egregious since according to the researcher's announcement, Adobe has been sitting on this bug since last September. Users of CS5 should demand a patch.
1000 / 3.5 ~= 285. Of course, that assumes you believe the OP's billions vs millions claim.
Sources claim 650M for windows 7:
http://news.softpedia.com/news/Windows-7-Approximately-650-Million-Sold-Licenses-by-the-End-of-2011-202026.shtml
http://finance.yahoo.com/q/ks?s=ADBE+Key+Statistics
If 100% of Adobe's 4.2B revenue comes from $700 Photoshop sales, that's 6M units/year, call that 24M units over the lifespan of windows 7 since release in 2009.
So for every unit of Photshop, you have at least 27 units of windows. Factor in the 3.5X price and you still have about 8 equivalent units of windows for every photshop over which to amortize costs.
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
Here's the problem with that - they were told about the issue in September 2011. They didn't address it then, but apparently decided to wait until well after the public advisory.
CS6 is not available in some markets. And this is going to be a real killer for chunks of the corporate world. My pet artists are going to be on a sneakernet if they want to keep CS5 and are going to have to learn a new toolset in the meantime if they want to come back onto my network. (The one hooked up to the internet with support contracts and enterprise agreements and production web servers)
PAIN.
A sig is placed here
To display how futile
English Haiku is
Also, Photoshop 6 has only been the stable release for 50 days according to Wiki - not exactly the time to upgrade if you're actually working with Photoshop...
*cough*IBM typewriters*cough*
They sentenced me to twenty years of boredom
Check your sources again. $50 / mos for the entire Adobe CS6 suite. All the packages.
I was picturing it more along the lines of the following (read it in Cave Johnson's voice if need be):
Okay, seriously, you guys. Seriously this time. We want out of this industry. The CEO and the board members are filthy stinking rich Silicon Valley douchebags, they want to get the hell out and retire while the retirin's good. The only thing stopping them is all those code monkey drones they need to pay, and so long as you idiots keep buying our products, we can't really stop them. I mean, have you SEEN some of those people? I don't even want to LOOK at them, let alone do anything that would either require me getting close enough to them to physically stop them nor give them a reason to get anywhere near me where I might have to look at them.
So here's the plan: STOP BUYING OUR PRODUCTS ALREADY. If we go around firing everyone when the company's doing well, we'll be up to our necks with questions, lawsuits, and neckbeards. But if you people stop buying our products due to our own incompetence, the company dies out, avoiding all those unpleasantries. All right? It's a win-win situation: We get to retire to our private islands in luxury and bliss, you get to no longer use our catastrophically braindead products.
To that end, we'll be instituting a series of corporationally suicidal moves to convince you, the unhappy consumer, to start investing heavily in HTML5 development and get those amateur art hacks who bought copies of Photoshop with their college discounts to switch to something cheaper, since they only use a couple features from Photoshop anyway, and those features have been in free stuff for a decade or so by now. Sure, sure, there'll be some professionals who DO need Photoshop and who will gladly keep pumping money into our retirement plans for another bug-riddled incremental update to a big-riddled raster image editor, but I'm certain whoever takes over our assets after our graceless plummet into corporate financial ruin will continue to service them perfectly well until they wise up and get out of this business, too.
Everybody got the plan? Good! We'll start with a program to charge for security updates and progress onward to a microtransaction-based Illustrator. If you want those vector tools, you're going to pay for 'em. See you at this quarter's board meeting!
Actually, if by "RHEL from 2008" you mean RHEL5 then you were quite wrong. Apparently, redhat promises security updates at last until sometime in 2017:
https://access.redhat.com/support/policy/updates/errata/
Do you really expect a virus or exploit to announce to you that your system has been pwned?
They used to do that but it's rare now.
These days all that saying you have never run into a virus or exploit means for many people is that they are silently pwned.
CS6 just launched and I mean JUST. It shipped on May 7th. So this isn't a case of an old version where Adobe is saying "Look guys, we are discontinuing support, have to buy the new one if you want it." The "old" version is only "old" by 3 days now.
And it has only been released for purchase for a few DAYS. It was released this week (the week of the 7th).
Almost makes me wonder if they new about the problem and only acknowledged it now so they didn't have to patch it for free. captcha revenues
Windows ME got 6 years of support (Microsoft offers a minimum of 10 years of support for Business and Developer products). Mac OS 10.3 got 4 years of support (Apple don't have a defined policy for their life cycle, just a general rule that they offer support for the current and previous version). REHL will get 13 years of support.
Two years of support for CS5 is not just "a *bit* quick" for such expensive, professional software. It is an insult.
Exactly. If people don't like this, they should find another vendor.
This is not support. This is fixing something that was broke in the first place.
I void warranties.
MS security fixes are not "no cost".
They just look cheaper on the surface, because the cost is amortized across BILLIONS of forced Windows licenses, instead of MILLIONS of Photoshop licenses.
Three orders of magnitude is very large in real life.
Does not compute. Windows XP has been around for a decade. XP will have received "free" updates for 12 years when support is finally dropped. On the other hand, Adobe Photoshop has had 8 major version releases during that time. According to Adobe's website site, 4 of those versions are no longer supported...and apparently we need to add another few versions to the list.
Bitch about MS all you want, but their support of security fixes for Windows and Office has been excellent compared to companies like Adobe. If I were a Photoshop user I would have spent thousands of dollars to keep my version in support compared to the $200 that XP costs up front. And yes, it really isn't fair to compare OS support to application support.
"A plan fiendishly clever in its intricacies"- Homer Simpson
You're not a programmer, are you?
You certainly know nothing about how impossible it is to write "perfect" software.
"Bitch about MS all you want, but their support of security fixes for Windows and Office has been excellent compared to companies like Adobe"
I have to agree, MS has indeed patched XP for a long time. MS gets lots of practice in patching security holes but to their credit (I never thought I'd say that about MS!) they have not charged anything for it. I can't even complain about them dropping support for XP in 2014; they've carried it for a long, long time and that is pretty responsible behavior (given the very slow move away from XP). Neither did they need to provide patches to pirated versions, but they did that in the best interests of the worldwide computing community.
IIRC Adobe is not the first to pull this "buy the new version" stunt.
GIMP? ...lol
"More importantly, if you bought CS5 for $2000 just three months ago, you have to pay to upgrade."
Good reason not to pay for it in the first place.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Perhaps they did. Protek Research Lab says they reported apparently the same bug to Adobe in September 2011. They went public after six months with no fix.
http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=40&Itemid=40
As I said before (received with the standard mockery and excuses), it's hard to empathize with Windows or Adobe users. You know you're buying a paid service. You know they're in it for the money. They aren't your friends or your Mommy or your guardian angel. You give them money, they give you a license to use their product for a while, with premium services at extra cost. It's all in the EULA. You did read it, didn't you?
I'm pretty sure that Adobe doesn't have to plan security bugs... They just unlock the cages that they keep the Flash dev team in and let them use their keyboards for a few minutes.
In a way, it is obvious...
if old version has a problem
and new version doesn't have (this particular) problem
then solution = buy the new version.
If it was the current release that was buggy, I would say they should put developers on a fix... If it is a flaw in an older version, that doesn't exist in the new version, then telling the customers to buy the current version is perfectly acceptable.
If they were already in development on the new version when they found out about a flaw in the current version... then its a decision about how much developer time it will cost to create a fix for the old (current) version and whether that time could be put to better use working on the new version. I deal with those kind of questions all the time at work myself. They are not easy.
"You want to know how to help your kids? Leave them the fuck alone." -George Carlin
$50/mo for 12-24 mos (until CS6.5/CS7 upgrade time) = $600-$1200, and you don't even have a license to use the software if you stop paying $50/mo.
Nope, doesn't sound like a good deal to me.
make imaginary.friends COUNT=100 VISIBLE=false
That's news.
Vote monkeys into Congress. They are cheaper and more trustworthy.
Yes, however many companies have sunk many thousands of dollars into testing and release of a new version of the software in their offices, Adobe taking this step may cost those organisations even more funds and cause increased internal stress. It's not only internal factors that must be considered, but also external ones. If you're not considering the impact on your customers of such a decision, you're ignoring a key stakeholder.
"... exercise caution when opening files from unknown or untrusted sources."
Untrusted sources, you mean like Adobe?
So are you offering to pay $10K or more for this hypothetical near-perfect software?
or will you pay $200 and accept that there may be bugs (and that the company will offer fixes for major security issues for x years) ?
It all comes down to economics at some point.
This seemed like a reasonable sig at the time.
Photoshop 6 == Photoshop CS1, the CS is quite important here.
And the CS stands for Compromised Security.
It's not released "knowingly defective."
With millions of lines of code they also can't test every possible application and error. What you're suggesting is that no OS could be released until there are no errors whatsoever. In this case, no OS would ever be released.
An OS can't anticipate the future.
A lot of patches and drivers have to be written after gold release, because of changes and new versions of hardware, new third-party software and apps, and new types of attacks.
If they pirate, they'll certainly download VLC. VLC can play the DVD, with or without the Windows codec.
The right to protest the State is more sacred than the State.
you can't tell at the same time "it's impossible to write zero bug software" and "but I didn't know my software had bugs"
Excuse me, I'm not sure if you are aware of it but your post has an identifyable bug, it contains an obvious strawman that your proof-reading appears to have missed. Can you please patch your original post and remove said strawman. Note, I don't want a new post, I want you to fix the original. I've donated to slashdot several times over the last decade to the tune of maybe $30 total, I know it's not a lot but nevertheless I didn't pay to see your bug ridden posts. /sarcasm
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Look at the release date of Adobe CS6. It was released on the 7th of May, basically just a few days ago. Now look at when the bug apparently reported to them - back in September of last year! It looks very much like Adobe have delayed fixing a serious security vulnerability until they could get away with charging users for the fix.
And this seems to be a disincentive to "upgrade".
It's also a matter of time...
CS5 was released in 2010, followed by CS5.5 in 2011. CS6 was just released in April.
So to say the solution for a owner of Adobe's CS suites (which can run over a thousand dollars) is to upgrade to a newer version is kind of ridiculous.
Say you just bought CS5.5 in February. Now you have to pay $550 to make your software safe? Or let's say you bought CS5 Master Collection back in March 2011.
You now have to pay over $1,000 to upgrade a 14 month old program.
SERIOUSLY
Adobe please point shotgun at face and pull trigger again and again....FIRE YOU CEO!!!!
Yeah, it's "obvious" all right. If a company sells a defective product, it's liable to legal action in tort (and possible criminal or class action suit under various consumer-protection statutes) if that company refuses to repair or replace the defective merchandise. This is especially true if the defect is serious and capable of causing injury, as it is here. If you disagree, I have all sorts of stuff I'd like to sell you.