Adobe Ensures Photoshop Security After Startling Decision

By | May 15, 2012

There are few givens in the world of technology, and those briefly got one fewer this past week when Adobe surprised the tech world with a radical decision to not patch a security hole in a few of its popular products. Business and consumer response now has the company singing a different tune, and there's a lesson here for midsize businesses wondering about the importance of data security in an evolving IT field.

Adobe's Quick Backtrack

The issues with Photoshop security began last week when a vulnerability was discovered in several pieces of Adobe software. The hole was found in Adobe Illustrator, Photoshop, and Flash Professional from CS5.5 and earlier versions of all three products. The issue arises when the targeted computer, either Mac or PC, opens a rigged TIFF file, which leaves the computer vulnerable to remote exploitation.

Remarkably, instead of issuing a statement noting the existence of the vulnerability and giving a timetable for its correction, Adobe instead directed customers to pay to upgrade to the latest versions of these particular pieces of software, which don't suffer from the problem and can cost upwards of $100 apiece. According to the company, the threat landscape for these products wasn't enough to warrant an out-of-band release to fix the hole, as noted in this MSNBC article.

Public backlash was quick and severe, and Adobe found itself on the losing end of a social media storm as angry users and security professionals questioned why in the world Adobe would make such a strange decision. According to ComputerWorld, the company has now backtracked on its initial stance and will release upgrades to the three products without requiring that customers pay to upgrade to newer software. The new announcement neither mentioned the company's original position nor the online outcry that seemed to force the change.

Security and Today's IT

For IT managers at midsize companies, there are two things to take away from this whole episode. First, they need to stay on top of this particular issue so that the affected programs can be upgraded as soon as the patch is ready. Photoshop security isn't often high on IT's to-do list, but with this vulnerability getting headlines, there will surely be targeted attacks using TIFFs in the near future, at least until Adobe offers a solution. This is also a good time to ensure that employees understand security policies about opening attachments from unknown sources or attachments that appear in oddly worded messages from known sources.

The second thing to take away is that security is a real concern for both consumers and businesses. Software companies can no longer take their time getting patches to the public, as there are hordes of hackers and scammers desperately looking to exploit any hole they can find. The days of security ranking third or fourth on an IT manager's list of important items are over.

After a slew of breaches in the past year, at an enormous cost to those companies who lost data, keeping systems and information secure is now at the forefront of everyone's mind. Apparently, even software as benign as Adobe Photoshop can provide a backdoor into secure systems, making a complete security solution almost impossible to comprehend. IT managers need to stay constantly vigilant and can never just assume that software manufacturers will automatically handle security issues when they arise, as they will sometimes try to upsell their latest product, instead of fixing the broken one.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...