Just a few days after the company announced that customers would have to pay for security updates to some of its popular products, Adobe officials backed off of that idea and announced that patches for flaws in Illustrator, Photoshop and Flash Professional would be provided after all.
Last week, Adobe issued patches for a long list of vulnerabilities in Flash and other products, but it also issued advisories for Photoshop, Illustrator and Flash Professional, three of the company’s popular creative applications. Adobe did not release patches for those vulnerabilities, even though in the advisories the company said that the flaws could be used to take complete control of vulnerable machines and run arbitrary code. Instead, Adobe said that fixes for those bugs would be in the form of “paid upgrades.”
That drew a lot of criticism from security researchers, and late last week Adobe decided that it was probably a better idea to give customers the updates for free.
“We are in the process of resolving the vulnerabilities addressed in these Security Bulletins in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x, and will update the respective Security Bulletins once the patches are available,” Adobe’s Dave Lenoe, said in a blog post.
Photoshop, Illustrator and Flash Professional are widely deployed in the creative industry and are used by professional graphic artists and others and not so much by consumers. Though these applications don’t have the massive install bases that Flash and Reader do and therefore aren’t key targets for attackers, the fact that the vulnerabilities in the apps are remotely exploitable and can be used to take complete control of victims’ machines makes them dangerous bugs.
Adobe did not say when the patches for these vulnerabilities will be available.