Adobe has backpedaled on a decision not to patch critical vulnerabilities in older editions of it signature Creative Suite package, asking users to upgrade to the new CS6 release instead, and spend hundreds of dollars in the process. The change of heart, of course, comes in response to the massive public outcry from customers.
The vulnerabilities in question could allow a remote user to execute malicious code and take control of the computer running the affected products. One bug exists in Flash Professional, two in Photoshop and a another five in Illustrator. While Adobe hasn't outlined the reason for reversing its decision, they did confirm they will now patch all eight vulnerabilities existing in the three software titles, the oldest of which is barely two years old.
"We are in the process of resolving the vulnerabilities addressed in these security bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x and Adobe Flash Professional CS5.x, and will update the respective security bulletins once the patches are available," Adobe's product security response team wrote on their official blog.
In another statement to ZDNet Australia, the software house commented that "while Adobe did resolve these issues in the Adobe Illustrator/Photoshop/Flash Professional CS6 major releases, no dot release was scheduled or released for Adobe Illustrator/Photoshop/Flash Professional CS5 or CS5.5", because "the team did not believe the real-world risk to customers warranted an out-of-band release to resolve these issues."
Adobe's position also drew sharp criticism from industry security experts, with Graham Cluely of UK-based security firm Sophos writing on the firm's blog, "way to alienate a loyal customer base, Adobe." He continued, "Adobe meanwhile tells users to exercise caution over what files they open with their applications, if they aren't prepared to pay for the upgrade. What a PR disaster for the company."