People can run arbitrary code via your software and the "fix" is to pay for an CS6 upgrade?
Not to mention you knew about this exploit since _last year_ http://www.protekresearchlab.com/index.php?option=com_content&view=art icle&id=40&Itemid=40
CS5 is not that old, plus you wait until CS6 is released and offer that as a "fix" ?
For me (using CS 4) it is not only the timing.
I've paid a lot of money not too long ago for this software. Now the vendor tells me that it has "critical vulnerabilities", i.e. I've paid for a product that is defective. And now I have to pay for fixing something I've already paid for?
Great customer service!
I don't think that I had to pay for a fix if my car loses it's wheels spontaneously. And I don't think that the car company would tell me "Buy a new car!"
This is serious--and despicable!
Somewhat fortunately, I'm very careful with TIFFs simply because if a file is a TIFF file, then I know I did not save it myself, as I generally stick to PSDs and PSBs, plus the occasional PNG or JPEG; but that's little consolation. More fortunately, I have a "complimentary" copy of Ps 13 ("CS6") coming because I updated from CS4 to CS5 in April.
However, the way Adobe is handling this issue and treating its customers is simply a disgrace. Adobe has fully evolved into a truly evil, unresponsive bureaucracy.
As there is practically no viable competitor to Adobe out there, it's high time to take it to court.
I must say, I find the Security Bulletin strange, to say the least. It starts out by saying the following, which sounds normal and reasonable.
Adobe released a security upgrade for Adobe Photoshop CS5 and earlier for Windows and Macintosh.
Then they hit you with this:
Adobe has released Adobe Photoshop CS6 (paid upgrade), which addresses these vulnerabilities.
Come to think of it, this may be a good business model... put some serious security vulnerabilities into the software on purpose, then charge people to buy the next version that fixes the problem...
I had to read it several times before I finally believed that they really were calling the Photoshop CS6 release a "security upgrade" and "paid upgrade". Every day brings a new surprise from Adobe, doesn't it?
I think when they mentioned CS6 that they were just saying that it's not vulnerable.
They go on to say:
We are in the process of resolving these vulnerabilities in Adobe Photoshop CS5.x, and will update this Security Bulletin once the patch is available.
That sounds like they're gonna fix CS5 to me.
Hohohoho! They updated and revised that bulletin today, after this thread was started and the first five replies were posted, including my post calling for taking Adobe to court. Just a happy coincidence, of course.
May 11, 2012 - Added information on update to Adobe Photoshop CS5.x.
May 10, 2012 - Corrected last affected version number.
May 8, 2012 - Bulletin released.
You are right - when I read the security bulletin the last revision was the one stating "Corrected last affected version number". Whatever the reason they added the new revision comment, it is the right thing to do for Adobe to release a security fix for CS5.
Yes, Ramon, Adobe legal is closely monitoring this forum, and they are afraid of your lawyer... Indeed, this has been discussed in many places, including Cnet, and other sites. Nice timing, still.
I think that Adobe should check its communications more closely, to try to mitigate issues like this one. (In the past, they did release patches for non-current software)
A different inference that could be drawn by a prudent, reasonable individual is that posts 7, 8 and 9 were simply pointing out that the OP and the first five replies to it reflected the reality of the bulletin at the time they were posted, and were not the result of any misinterpretation. The welcome revision was made later.
That Adobe does not react to any perceived or imagined legal consequences is as clear as the fact that it is often not guided by moral scruples or competent legal counsel. What's more, the corporation appears to be unimpressed by the decline in the value of its stock in the last five years either. Investors are evidently as upset as Adobe customers, but that doesn't appear to bother Adobe.
Adobe used to be a responsive company. As they have bought out or defeated their competition, their service has declined. I have had to get the better business bureau involved the last three orders due to inability to get response from the company. In none of the cases was the problem difficult to fix (shipment to wrong state, wrong version sent, etc), but Adobe has made it almost impossible to get any response other than a canned email reply that does not allow reply. Their phone callback system is a joke, generally getting a promise that is not kept.
They make some great products and I and my company have spent tens of thousands of dollars on their software. But they are getting smug.
Yes, I've followed the thread, and I'm aware that they revised the text. We will never know if someone decided that the upgrade was a good enough fix, than changed his/her mind seeing the torches and pitchforks, or if is just poor communication, that the update was scheduled, but since the corporate policy at Adobe is to never speak about unannounced software, no mention was done until it was ready...
And notice the smiley... There is no need to infer that others are unreasonable or imprudent.
that the update was scheduled, but since the corporate policy at Adobe is to never speak about unannounced software, no mention was done until it was ready...
I do not believe the policy of unannounced software applies to security fixes. Note that Adobe has announced the fix for CS5 even thought it is not released yet.
Given that the vulnerability affects CS5 and previous releases and one of the vulnerabilities is a buffer overflow, I suspect the fault is in "legacy" code. I wonder how hard it would be for Adobe to fix releases prior to CS5? Would the CS5 fix be backward compatible, requiring not much more than recompiling the module for prior releases? And, of course, testing.
I understand it is impractical for any software developer to support all back releases. But security updates are special. Adobe, and all software companies, have an interest in keeping the Web as safe as possible. All developers should make security fixes as widely applicable as possible. I would note that Microsoft still makes security fixes available for Windows XP and Office 2003, even though mainline support for those products ended. Both of those products are over a decade old.
Well now you have the news factor, and gives naughty people a vector to a vulnerability; versions older than CS6 could be a target. Not sure if the bad guys would think this worthwhile exploiting, but you never know.
Will be interesting to see how long it takes for the fix to get pushed.
Europe, Middle East and Africa