Adobe’s fix for Photoshop CS5 security issue? Buy Photoshop CS6

Pay for a security update from AdobeWay to alienate a loyal customerbase, Adobe.

Earlier this week we reported on how users of a bunch of Adobe products, including Photoshop CS5 and earlier, were being warned about serious security issues.

In the case of the Windows and Mac versions of Adobe Photoshop, a vulnerability exists in version CS5 and earlier that could be exploited by a malicious attacker who tricks you into opening a boobytrapped .TIF file in order to take control of your computer.

That’s a very serious problem. So, you would imagine that users would be rushing to download the security patch. Right?

Sign up to our free newsletter.
Security news, advice, and tips.


Because the only fix that Adobe is making available is for users to upgrade to the latest version of Adobe Photoshop CS6. And that’s going to cost users $199 or more. (If you aren’t eligible for the upgrade, it will cost $600).


Adobe's advice - pay up

And it’s a similar story for Windows and Mac users of Adobe Illustrator CS5.5 and earlier, and Adobe Flash Professional CS5.5 ( and earlier. In each case, Adobe’s answer is for you to pay a not inconsiderable amount of money to update to the next major version of the product in order to benefit from the security fix.

Sure enough, social networks and online forums are buzzing with posts from disgruntled users – angry that they are having to shell out hundreds of dollars for something which is, after all, Adobe’s fault.

Photoshop upgradeAdobe meanwhile tells users to “exercise caution” over what files they open with their applications, if they aren’t prepared to pay for the upgrade.

What a PR disaster for the company.

At first when I heard the news I thought there must be some mistake. Maybe Adobe’s security advisories had been worded poorly and although upgrading – for example, to PhotoShop CS6 – would fix the vulnerability, the firm would also roll out a free patch to users of earlier versions.

But no. Judging by a report from H-Online, Adobe has no plans to publish a free security fix.

Adobe’s view is that because Photoshop “has historically not been a target for attackers” the risk level doesn’t make it worthwhile to produce a fix that users don’t have to pay for.

Maybe Adobe customers who feel nervous opening .TIF files will judge the level of risk for themselves, and prefer to seek alternatives from companies that take better care of their users.

Update: Some good news. Adobe has clearly been influenced by the angry response from its users, and has now said that it will release a patch for Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x. The security patches are not available yet, so be sure to keep your eyes peeled for when they are available.

You can find more details on Adobe’s blog.

This is clearly preferable to Adobe customers’ only option being to pay hundreds of dollars to fix their software.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.