Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Changes Its Tune On Forcing Paid Upgrade To Fix Security Flaws

Posted by Soulskill on from the give-the-people-what-they-scream-about dept.

wiredmikey writes with a followup to Thursday's news that Adobe was recommending paid software upgrades in lieu of fixing security holes in some of its applications. After receiving criticism for the security bulletin, Adobe changed its mind and announced that it's developing patches to fix the vulnerabilities. "Developing a patch, especially for three different applications, can be costly and time consuming. Developing these patches consumes development resources, then must run through a QA process, and the patch needs to be communicated and distributed to users. And for a company like Adobe with a massive customer base using its Photoshop, Illustrator, and Flash Professional, the bandwidth cost alone can be substantial. For a popular product that was just over two years old, providing a fix to address a serious security flaw its what customers deserve. And while Adobe may have originally tried to sneak by without addressing the issue and pushing users to upgrade to its new product, the company made the right move in the end."

10 of 90 comments (clear)

  1. Boohoo by SuperMog2002 · · Score: 5, Insightful

    Developing these patches consumes development resources, then must run through a QA process, and the patch needs to be communicated and distributed to users. And for a company like Adobe with a massive customer base using its Photoshop, Illustrator, and Flash Professional, the bandwidth cost alone can be substantial.

    Boohoo. Welcome to software development.

    --
    Sunwalker Dezco for Warchief in 2016
    1. Re:Boohoo by david.emery · · Score: 5, Insightful

      Well, maybe Adobe runs independent codebases for their projects, so some poor schmuck coder has to go to each projectbase, check out the offending file(s), and make the changes. That would run counter to a Product Line Approach as recommended by the SEI... :-)

      Of course, if Adobe would tighten up on their security coding practices, they wouldn't have these problems in the first place. But judging by Flash's patch history, that's too much to ask.

    2. Re:Boohoo by lightknight · · Score: 4, Insightful

      Seriously. We're talking about Adobe, which ranks up there with Oracle, MS, and friends. If they can all create security patches for their last several major products, as well as the variations for each, then Adobe can do the same.

      And if you want to do something about bandwidth, just integrate a Bit torrent client into the downloader, like, I don't know, a fair number of other companies have done.

      What more, Adobe has a really sorry record for security, plus some infamy associated with its upgrades. Adobe Acrobat Reader is constantly updating itself, to deal with security issues, which all, apparently, need a system reboot (why does an application like this need a system reboot, I wonder).

      --
      I am John Hurt.
    3. Re:Boohoo by Anonymous+Brave+Guy · · Score: 4, Insightful

      If you're going to start playing the "as-is" card then I'm going to start playing the "fit for purpose" card. If it's a one-time purchase of software and what I get in the box is all I ever get, that means your software must do its job properly without any showstopping bugs, and must not damage my system in any way or create any security vulnerabilities.

      If your software does have bugs that stop me from using it for its intended purpose, you can refund me the full purchase price and any additional costs for consequential losses to clean up the mess. And if your software is not 100% secure, you can have unlimited liability for any consequential losses caused by your negligence, just like any other product. Oh, by the way, I've got 10 expert witnesses who will testify that you could have made your software much more secure if you'd only spent more money on its development, chosen better tools, and followed better processes, so we'll be seeking punitive damages as well if they apply in your jurisdiction because you cheaped out instead of doing real engineering as befits a product with that price tag.

      A lot of people have argued that giving liability to software makers for substandard products is somehow unreasonable, because software development just doesn't work like that. I think it's a relatively weak argument anyway, because while there is an element of truth to it and software engineering certainly isn't as well-developed a field as the major physical engineering disciplines, a lot of software bugs clearly are avoidable and leaving them in really is some combination of negligence or deliberate cost-cutting at the expense of quality. In any case, we are in the Internet era, when avoidable security screw-ups can cause very substantial damage to customers far beyond the purchase cost of the software. I think it's blatant mockery to make an argument that liability for shipping a flawed product is unfair because of the "reality" of the industry, yet then to claim with a straight face that customers are not entitled to ongoing updates to fix any security vulnerabilities or bugs in advertised functionality, free of charge and on the same terms as the original purchase, as such problems are discovered throughout the reasonably expected lifetime of the software.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  2. Write fewer bugs. by Alex+Belits · · Score: 5, Insightful

    Developing a patch, especially for three different applications, can be costly and time consuming. Developing these patches consumes development resources, then must run through a QA process, and the patch needs to be communicated and distributed to users. And for a company like Adobe with a massive customer base using its Photoshop, Illustrator, and Flash Professional, the bandwidth cost alone can be substantial.

    You know what is cheaper? Hiring developers with a clue, so they won't write bugs by the bucketload.

    --
    Contrary to the popular belief, there indeed is no God.
  3. massive sales by gbjbaanb · · Score: 4, Insightful

    And for a company like Adobe with a massive customer base using its Photoshop, Illustrator, and Flash Professional, the bandwidth cost alone can be substantial

    you know what, if they such a massive customer basse, then they would have already made massive profits from those 'massive' sales. So the company just forgot to factor in the percentage for maintenance from those sales.

    Its a bit pathetic really, unless their development costs are so great - but then I'd say the management and developers are at fault, patching isn't a particularly difficult task once you've done the fixes for the current version anyway.

  4. Call the waaambulance by wickerprints · · Score: 5, Insightful

    So what it if it costs you money? It's your error, and your responsibility to fix it. We're not talking about a version that you stopped selling years and years ago. We're talking about a version that stopped selling only recently--in fact, more recently than when the security flaw was reported.

    What are you doing with the several hundreds of dollars each licensee pays you for a copy of Photoshop? Or the $2000 that they pay for an edition of CS? Wiping your asses with it? Rolling it into a joint and letting your developers smoke it?

    Adobe (like another tech company that starts with an "A") was once a stand-up company. Ironically, the CEO of that "other company" accused Adobe of being LAZY. And he was 100% correct. Lazy and bloated and coasting on their monopoly success. Again, the principle holds: the more trust and power the consumer gives to a corporation, the more they will abuse it.

  5. Cry me a river... by Lohrno · · Score: 5, Insightful

    The base non-student version of their software costs 1299.

    I do not want to hear ANY complaints about money from them with that kind of audacity.

  6. No shit by Sycraft-fu · · Score: 5, Insightful

    Look Adobe, I'd be in your corner if this were Photoshop 5, like pre CS days, we were talking about here. If people were saying "You have to go fix something from 1998 because we won't upgrade!" I'd be along with you saying "Look people, stop being cheap bastards, get out the wallet, and buy new software at least once a decade, that's not unreasonable."

    However we are talking about CS5, as in the last major, released only 2 years ago (CS5.5 is a more minor update, and shares the same codename). You need to at least put out security fixes for the last version, support it for a few years. I don't expect you to do any feature updates, but security updates are not too much to ask.

    Also they want to wine about time, QA, and bandwidth? Give Microsoft a ring, see how it goes for them supporting OSes for 10+ years (OSes that cost less than a single CS program I might add), doing regression testing against thousands of pieces of hardware and software, and then distributing them to the majority of computer users in the world. They seem to get on fine and still make billions, so I'm going to say you can put on the big boy pants Adobe, and patch this fucking issue.

    P.S. Don't when to me about bandwidth when you offer downloadable trials of shit. A patch is going to be a couple hundred MB maybe, and more likely less. Your trial downloads can be GBs. You have bandwidth you whiny shits.

    1. Re:No shit by Anonymous+Brave+Guy · · Score: 3, Insightful

      Adobe supports current version and current -1 version. Under circumistance, 5.0 is -2 versions back(5.0 and 5.5 are different major versions, even though it doesn't looks so)

      The typical expected lifespan for a modern business PC is 3-5 years. There is really no excuse for a piece of software that costs four figures per seat not to receive essential security updates for a similar period. If you don't like that, don't charge a premium price for the software. If you want to charge a premium price, you have an effective monopoly, you are too incompetent to write secure software in the first place, and you aren't even willing to cover the cost of essential security updates, then it's about time someone won a profit-eliminating lawsuit against you for selling a product that isn't fit for purpose.

      Even with prices much higher for their software, they still have much smaller profit than Microsoft. So judging them on same scales is rather unfair.

      No, it isn't. To any given customer, they are charging far more for a product than Microsoft. It is not unreasonable at all to expect a better standard of quality and support for the more expensive product. If they can't sell more copies of it to get the profits up, well, maybe they shouldn't have such a bad reputation for poor quality and security, and maybe they should consider not charging such a high price to incentivise more people to buy. Or maybe their product just isn't as useful to so many people. There's no magic entitlement to megaprofits.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.