Adobe Ensures Photoshop Security After Startling Decision

By | May 15, 2012

There are few givens in the world of technology, and those briefly got one fewer this past week when Adobe surprised the tech world with a radical decision to not patch a security hole in a few of its popular products. Business and consumer response now has the company singing a different tune, and there's a lesson here for midsize businesses wondering about the importance of data security in an evolving IT field.

Adobe's Quick Backtrack

The issues with Photoshop security began last week when a vulnerability was discovered in several pieces of Adobe software. The hole was found in Adobe Illustrator, Photoshop, and Flash Professional from CS5.5 and earlier versions of all three products. The issue arises when the targeted computer, either Mac or PC, opens a rigged TIFF file, which leaves the computer vulnerable to remote exploitation.

Remarkably, instead of issuing a statement noting the existence of the vulnerability and giving a timetable for its correction, Adobe instead directed customers to pay to upgrade to the latest versions of these particular pieces of software, which don't suffer from the problem and can cost upwards of $100 apiece. According to the company, the threat landscape for these products wasn't enough to warrant an out-of-band release to fix the hole, as noted in this MSNBC article.

Public backlash was quick and severe, and Adobe found itself on the losing end of a social media storm as angry users and security professionals questioned why in the world Adobe would make such a strange decision. According to ComputerWorld, the company has now backtracked on its initial stance and will release upgrades to the three products without requiring that customers pay to upgrade to newer software. The new announcement neither mentioned the company's original position nor the online outcry that seemed to force the change.

Security and Today's IT

For IT managers at midsize companies, there are two things to take away from this whole episode. First, they need to stay on top of this particular issue so that the affected programs can be upgraded as soon as the patch is ready. Photoshop security isn't often high on IT's to-do list, but with this vulnerability getting headlines, there will surely be targeted attacks using TIFFs in the near future, at least until Adobe offers a solution. This is also a good time to ensure that employees understand security policies about opening attachments from unknown sources or attachments that appear in oddly worded messages from known sources.

The second thing to take away is that security is a real concern for both consumers and businesses. Software companies can no longer take their time getting patches to the public, as there are hordes of hackers and scammers desperately looking to exploit any hole they can find. The days of security ranking third or fourth on an IT manager's list of important items are over.

After a slew of breaches in the past year, at an enormous cost to those companies who lost data, keeping systems and information secure is now at the forefront of everyone's mind. Apparently, even software as benign as Adobe Photoshop can provide a backdoor into secure systems, making a complete security solution almost impossible to comprehend. IT managers need to stay constantly vigilant and can never just assume that software manufacturers will automatically handle security issues when they arise, as they will sometimes try to upsell their latest product, instead of fixing the broken one.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM's IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

IT Security Needed More Than Ever For SMEs

By Daniel Newman on Oct 29, 2015
It’s hardly a secret when a large corporation gets hacked—it’s the opposite, actually. News of controversies and scandals for big business spreads quickly (like the recent Target and Ashley Madison data breaches). Just because they sometimes don’t make the front ...