Adobe says it's now working on patches for Creative Suite 5.x versions of Photoshop, Illustrator and Flash. Previously, customers would have had to pay to upgrade to CS6 to get the fixes.
The patches cover vulnerabilities that could allow a remote user to execute malicious code and take control of computers that are running the products.
A post to Adobe's security blog says the following:
We are in the process of resolving the vulnerabilities ... in Adobe Illustrator CS5.x, Adobe Photoshop CS5.x (12.x) and Adobe Flash Professional CS5.x, and will update the respective security bulletins once the patches are available.
Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at http://blogs.adobe.com/psirt, or by subscribing to the RSS feed at http://blogs.adobe.com/psirt/atom.xml.
Adobe had originally said that customers would need to pay to upgrade to the CS6 versions of the products to get the fix.
The company told ZDNet Australia earlier that "while Adobe did resolve these issues in the Adobe Illustrator/Photoshop/Flash Professional CS6 major releases, no dot release was scheduled or released for Adobe Illustrator/Photoshop/Flash Professional CS5 or CS5.5", and that "the team did not believe the real-world risk to customers warranted an out-of-band release to resolve these issues".
Adobe told ZDNet Australia that it wasn't aware of any attacks that were taking advantage of the security flaws, but the news site noted that there is "a working proof of concept for the Photoshop vulnerability in the wild, which could make it trivial for a hacker to launch a targeted attack on a user".
Rich Mogull, a security analyst at Securosis.com, told Macworld that a software maker not issuing security patches for products it still supports breaks with "industry convention and customer expectations. If the products are really out of support, then that's understandable. But [Adobe's] own site shows them still within an active support window". Macworld later reported on the CS5.x about-face.
We've contacted Adobe for comment on the patches, and will update this post if and when we hear back.