Adobe: Photoshop is not a target for attackers
Adobe have responded to the suggestion that they are effectively charging for security updates, saying that they do not believe that "the real-world risk to customers warranted an out-of band release to resolve these issues". On Wednesday, a security bulletin issued by Adobe pointed out security flaws in Photoshop CS5/CS5.5 and Illustrator CS5/CS5.5, but offered only a paid-for upgrade to the very recently released CS6 versions of the applications as a fix for the flaws.
Contacted by The H's associates at heise Security, the company says it rated the APSB12-11 security bulletin a "priority 3 update" on the basis that "it is a product that has historically not been a target for attackers" and that it was not aware of any exploits targeting the issues that they had fixed. Adobe may be categorising exploits as "code used in anger to cause damage", because there is at least one proof of concept exploit for one of the APSB12-11 vulnerabilities.
Releasing a security advisory will, however, have raised awareness with attackers – especially attackers who use spear-phishing tactics aimed at particular categories of users within an organisation – that such holes exist in Photoshop and that they are potentially exploitable. Adobe says that installation of the upgrade "is therefore at the user's/administrator's discretion". The company also said that no "dot release" or update was scheduled for either Photoshop CS5 or CS5.5 where an "in-band" fix would have been included, so the flaws are likely to persist in the wild for a number of years.
(djwm)