Last week, Adobe created a firestorm of user unrest when it issued a series of security bulletins impacting three applications of its Creative Suite and said that users must pay to upgrade to the latest versions of the apps if they wanted patches that would close the vulnerabilities.
The company was quickly besieged by users, technology professionals, and security experts demanding that it reverse course and offer security patches to users who couldn’t afford the upgrades (or didn’t want to spend the money). Even though company quietly backpedaled and announced it would offer security updates without acknowledging the reason for its about face or offering an apology, the gaffe raises concerns that Apple’s yearly OS X release cycle might lead it down a similar path.
At issue are eight vulnerabilities in Photoshop CS5, Illustrator CS5.5, and Flash Professional CS5.5 (as well as earlier versions of each app). Five of the vulnerabilities are in Illustrator, two in Photoshop, and one is in Flash. The vulnerabilities are in both Mac and Windows versions of the apps and Adobe wanted that they could be exploited “to take control of the affected system.”
While it isn’t uncommon for companies to stop issuing patches for older software after releasing a new version like Adobe’s recently shipped CS6, in this situation Adobe was killing support for applications that shipped just one year ago in the case of Flash and Illustrator and two years ago in the case of Photoshop.
Adobe’s apps are some of the more expensive set of graphics, web, and publishing tools on the market and they are relied on by designers, animators, publishers, and marketing teams the world over. Upgrade pricing for these tools ranges from $99 for Flash to $249 for Illustrator with a package upgrade to Adobe’s Design & Web Premium suite that includes all three costing $375.
The incident raises an interesting question: How soon is too soon to stop patching older software?
Refusing to patch a year-old app seems pretty ruthless and more than a little greedy, but what about software that’s two, three, or four years out of date? Is it worth it for a company to continue expending resources to fix problems when there may be little or no return on the investment?
After all, many people avoid upgrading expensive software like the Creative Suite apps for years until they’re forced to by changing technology, new features, or prodding by the software vendor. That means the company may never see a real return on that investment. Even if they do, it may be extremely far down the road.
Of course, that brings up another question: Should the cost of the initial software and/or the upgrades to it be a factor in legacy support?
These questions go beyond Adobe. Robin Stevens, a member of Oxford University’s network team recently claimed that Apple will be forced to engage in similar practices now that it’s moving to a yearly release of OS X – a claim that has yet to be proven right or wrong despite being based on Apple’s past behavior. Stevens demanded that Apple continue patching OS X versions that were five years out of date and support hardware that’s as old as seven years – essentially demanding Apple treat OS X as Microsoft treated Windows XP.
That sounds a bit excessive to me, particularly when you consider that the last two OS X updates shipped for just $29.99 and Apple is giving customers using older versions of OS X a free upgrade to Snow Leopard to encourage them to migrate to iCloud.
Still, it raises the question of how far Apple, Adobe, or even Microsoft should go when it comes to legacy software and legacy hardware support. That’s an open question but one thing seems clear from Adobe’s flap – one year of support for a pricey application isn’t enough.