Tag Archives: Adobe

Adobe is Being Sued for Bug that Deleted User Files

This could be a very interesting lawsuit and we will watch it and see where it goes.

In 2017 Adobe released Premiere Pro Creative Cloud 2017 version 11.1.0 ,  Apparently, like a lot of software, this product was not bug free.

In fact, a feature called clean cache not only cleaned the cache of Premiere work files, but also cleaned the user’s original files, irretrievably.

The freelancer who filed the lawsuit and is seeking class action status lost over 100,000 video files which he says cost him bigly in his inability to license those videos after Premiere went wild.  He says that the lost files cost him a quarter million dollars to create.

Adobe acknowledged the bug and released version 11.1.1 which, Adobe said, will only delete files within the media cache. Files, they said, that sit next to it will no longer be affected.

Cooper (the freelancer) tried but failed to settle with Adobe.

The thing that is strange about this lawsuit is that most end user license agreements – the ones that almost no one reads – usually state that the vendor does not guarantee the software will work or that it will be free of bugs or that it is suitable for what you are planning to use it for.  Given that, why is Adobe responsible?

He is alleging that Adobe breached a duty of care and failed to disclose what was, at the time, an unknown bug.  They filed this lawsuit in California which has stronger consumer protection laws than many states do, but they are filing it in the U.S. District Court.  They are also saying that Adobe was unjustly enriched as a result of charging a fee for this buggy software.  Part of the suit is claiming negligence under California law.  They say that Adobe should have known that the software bug existed.

If the court holds that to be true then every software vendor that has a bug that impacts a user will be similarly at risk. I do think that a bug that deletes all of your data is more serious than, say, a bug where a particular feature does not work as advertised.

They are also claiming that Adobe has strict liability for a defective design and are claiming that deleting the files is a safety failure, similar to, for example, your iPad catching fire due to the battery overheating.

They are also making a number of other claims.

This suit was filed this month so we have not heard any response from Adobe, but I assume that they will claim, among other things, that the license agreement that every user agreed to even if they chose not to read it, says that we don’t guarantee the software will work.

I have several thoughts here.

First of all, if you sell or even give away open source software, you need to watch this trial (they have asked for a jury trial).  The outcome could impact your company.

You should also check your product liability insurance and make sure that it covers you in situations like this.

But in this case, unfortunately, I put 90% of the blame on the user.

IF YOU HAVE DATA THAT IS IMPORTANT TO YOU, YOU NEED TO HAVE BACKUPS.  I Can’t make it any clearer than that.

Who would he blame if his house was broken into and his computer stolen.  In both the current case and my hypothetical one, absent good backups, he would have lost his data.  Who’s fault would it be in my hypothetical case?

He said that the files cost him a quarter million dollars to create.  If you had a digital asset worth that kind of money, wouldn’t you periodically copy those files to a USB disk – or preferably two – and stick it in a bank vault.  I just bought a 4 terabyte disk for $80. 

Seems like cheap insurance to me.

Without regard to the outcome of this suit, which could be in the courts for years, users, both business and consumer, should know that their data is at risk in any number of ways and make appropriate backups.

When it comes to cloud backup systems like iCloud or OneDrive, those systems will back things up on a best efforts basis.  If those backups fail, you will be in the same boat as these guys.

Bottom line, based on the value to you, you need to create and maintain backups as appropriate to reconstruct your data.

Even if this guy wins, and it seems unlikely to me but who knows, in the end, he still doesn’t have his videos and pictures.

As they sang in the movie Hoodwinked, be prepared, be preparedThat is way less pain than losing your data.

Me, personally, I keep multiple copies of my data in a bank vault and each copy is split across multiple physical devices so that if any one device fails and that same device fails on multiple generations of the backup, I only lose a part of my data.  Bank vaults are controlled for temperature and humidity and are relatively speaking, pretty secure.  However, that is only ONE measure that I take. 

Depends on how important your data is to you.  Source: Motherboard.

 

 

It’s Patch Day

Yesterday was Patch Tuesday.  Microsoft had 14 bulletins, 5 of which they deemed critical, covering 59 vulnerabilities.

Oracle released patches covering 193 vulnerabilities, including 25 Java patches, one of which is already being exploited in the wild.    44 of these vulnerabilities came from third party components.  Of the 25 Java vulnerabilities fixed, 23 of them can be exploited remotely without authentication.

One of the Microsoft patches, MS15-077, fixes a zero day in the Windows Adobe Type Manager Font Driver, for which there was a proof of concept disclosed in the Hacking Team data dump.  This is a very speedy response time for Microsoft.  The bug affects Windows Server 2003, 2008 and 2012, all desktop OSs since Windows Vista and Windows RT.  It would allow hackers to install programs, view, change or delete data and create new accounts – in other words, do pretty much anything the hacker might ever want to do.

Microsoft released 28 patches for Internet Explorer, 20 of which are critical and one of which, CVE-201-2045, fixes another zero day flaw exposed in the Hacking Team dump.

Adobe released patches for two more zero day exploits that were exposed by the Hacking Team data dump and which I wrote about the other day.  Those were the ones that caused Mozilla to completely block Flash inside Firefox.

Given all this data, let’s ponder a few things:

  • Thank you Hacking Team for getting hacked – there are a number of things that got cleaned up as a result
  • Vendors – Microsoft and Adobe in this case – can move VERY quickly when their tush is on fire because someone released exploits of their systems with “easy to follow instructions” on how to use them
  • Third party – i.e. the software supply chain – affected 44 of the patches that Oracle released.  Software supply chain is a killer.
  • But the most important issue here is that this week a couple of vendors released patches covering almost 300 bugs. How on earth is a user or company supposed to absorb that many patches, figure out where the affected systems live, test the patches to make sure they don’t break anything and get them deployed to the users in a timely fashion?  
  • And, don’t forget, this is just three vendors of maybe hundreds that are used by any one organization.

Software governance, part of the overall corporate governance, risk and compliance (GRC) activity, is a challenge for companies, both big and small.  Big companies are challenged because they have so many devices scattered to the winds.  Small companies are challenged because they don’t have the resources and expertise to analyze and deploy the patches.

And, as more and more things contain software – you may remember that the Maytag repairman (actually Whirlpool) had to patch my dishwasher last week in order to complete an unrelated service call, this is not likely to get any better any time soon.

In fact, the bigger question is this – if we found and patched 300 bugs this week, how many more are out there unpatched and exploited – either accidentally or on purpose?

Information for this post came from Tech Target and Computerworld.

Not A Great Week For Adobe

Researchers at FireEye have uncovered another zero day Flash exploit from within the ruins of the Hacking Team data dump.  Adobe says that they will patch it some time this week.  Adobe also says that the flaw could cause a crash and potentially allow an attacker to take control of the affected system.

Like the first Flash zero day that was revealed from the Hacking Team data dump, this one includes a well written proof of concept, so assume that the malware writers will jump right on this one like they did the first one.

According to Adobe, the new bug affects the Windows, Linux and Mac OS X versions of Flash.

In addition, there are reports of a third Flash zero day in the Hacking Team dump, so it may well be that Adobe gets to release 3 emergency patches in a week.  That would not be a good week for the Flash maker.

This comes at a time when there is a lot of pressure to move away from Flash to HTML 5.  Three emergency patches in a week will only strengthen the call for the move.

Information for this post came from Computerworld.

Adobe Releases Emergency Patch For Flash

Yet again Flash is the means of attack by a Chinese hacking group that Fireeye has labelled APT3.

The attack IS in the wild, although limited in use.

The attack looks like a phishing email offering discounts on Apple computers.

You can find out what version of flash you are running at http://www.adobe.com/software/flash/about/ and download the newest update at https://get.adobe.com/flashplayer/ .

Even though I have updates enabled on this computer, the version of Flash that I was running was 34 versions old.  Of course, Adobe may not have released any or all of those intermediate versions.

You may remember that Steve Jobs was not a big fan of Flash – to be very polite.  This is just one of the reasons why.