Adobe Photoshop: Need a Security Fix? Upgrade to a Later Version and Don’t Forget to Pay for It!
By on May 11th, 2012

Adobe has posted a security bulletin for Adobe Photoshop recently, where it addressed a security vulnerability regarding TFF files. The vulnerability allows arbitrary code execution resulting in a system wide control for a cracker. This vulnerability affects all versions of Photoshop prior to and including CS5, on both Windows and Mac.

The vulnerability is specified on Symantec’s Security Focus as:

Adobe Photoshop is prone to a use-after-free memory-corruption vulnerability.
Attackers may exploit this issue to execute arbitrary code in the context of the user running the affected application.
Adobe Photoshop CS5.1 (version 12.1) is vulnerable; other versions may also be affected.

The only solution, which in reality is a non-solution, is to update to Adobe Photoshop CS6 and just in case you were wondering, no, it will not come for free if you already have CS5. With this shoddy decision, Adobe is creating a new trend in the world of security fixes, where a later paid version can be called as a fix for an existing vulnerability in an earlier version. In a way, it will force users to upgrade and while they are at it, Adobe will earn some free cash out of its own fault.

Adobe has released Adobe Photoshop CS6, which addresses these vulnerabilities. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.

Whenever we install software, we agree to an EULA. The same EULA statement has liability provisions as well, and now that Adobe is (probably) psych testing its users for this new liability based business model, someone might just go ahead and file a class action lawsuit in the coming days.

If you want to see this vulnerability in action, proof-of-concept apps are available at this page.

(Via: Slashdot)

Tags: ,
Author: Chinmoy Kanjilal Google Profile for Chinmoy Kanjilal
Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Chinmoy Kanjilal has written and can be contacted at chinmoy@techie-buzz.com.

Leave a Reply

Name (required)

Website (optional)

 
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN