August 16, 2007 6:34 AM PDT

Adobe: No threat from PDF spam

PDF spam--junk e-mail with its message attached as a PDF file to get past spam filters--poses no security risk, says Adobe Systems.

Asked if PDF spam can embed malicious software, Erick Lee, a security engineer at Adobe, wrote in an e-mail on Wednesday that "PDF is no more able to embed malware on an unsuspecting user's system than any other typical e-mail attachment."

Over the last two months, security vendors have seen a spike in spam embedded within PDF documents. Last week, it was used in a large-scale "pump and dump" scam that reportedly caused a huge spike in spam levels and in the share price of the company highlighted in the PDF spam campaign.

According to the PDF-creation software maker, there is no hard evidence that such spam exposes users to any security risk.

"Although a nuisance, we have not verified an incident where PDF spam became a security issue," Lee said. "Users can be assured that PDF is still the de facto standard for more secure and dependable electronic information exchange."

Nonetheless, Lee added, the onus is on users to protect themselves. "(We) recommend that users exercise skepticism and caution when receiving unsolicited e-mail communications requesting user action, such as opening attachments or clicking Web links," he said.

In Symantec's latest report, released on Monday, the security vendor noted that PDF image spam, which started to emerge in June this year and is on the rise, accounted for between 2 percent and 8 percent of all spam in July.

Ascertaining authenticity
One way a valid PDF sender can ensure that the recipient knows the file is authentic is to use a certified-document digital signature, said Lee.

The security engineer noted that the digital signature, when combined with Adobe Acrobat and Reader, will "provide additional validation of the author and content."

Lee said that, to ensure the security of the PDF document, the company has a Dynamic Link Library file called PDF IFilter, which "enables the creation of software that analyzes PDF files."

The PDF IFilter is used by security vendors, as well as search-engine companies, to scan the contents of PDF files. "For example, when a user searches for a PDF file on Google, they can click a found link to see the PDF file's contents in a HTML page," Lee explained.

Adobe said it is working with spam-filter companies to help prevent PDF spam from "getting through to inboxes" by implementing the PDF IFilter.

Details on potential vulnerabilities and their solutions are available on Adobe's Web site, and all documented security vulnerabilities and their solutions are distributed through the Adobe security-notification service.

Lynn Tan of ZDNet Asia reported from Singapore.

See more CNET content tagged:
Adobe PDF, spam, Adobe Systems Inc., security risk, digital signature

13 comments

Join the conversation!
Add your comment
who buys these stocks?
can i PLEASE meet the idiot that buys one of these stocks from a spam email? i'd like to shake their hand. or more accurately, i'd like to shake their throat. what moron gets an unsolicited pdf, opens it, sees a stock name, buys it and expects to gain?
Posted by sadchild (280 comments )
Reply Link Flag
investigations...
better yet... why arent these stocks and the people that send the false stock reports investigated by the SEC?

It can't be joe-slacker just getting his kicks. I would venture to guess it is an investor or the companies themselves that are sending out the crap.
Seems like stock fraud to me.
Posted by arluthier (112 comments )
Link Flag
You don't get out much, do you?
Step outside and meet the public. You'll be impressed by the level of stupidity that exists today in the USA.
Posted by ejevo (134 comments )
Link Flag
same people who send bank info to Nigerian scams
Believe it or not, there's a lot of gullible people out there. I just met a guy who was bragging about buying 1000 shares of some penny stock and having a profit of 3 cents a share. WOW!
Posted by oxtail01 (308 comments )
Link Flag
Contradictory?
Umm... is it just me or are these two statements a bit on the contradictory side?

"PDF is no more able to embed malware on an unsuspecting user's system than any other typical e-mail attachment."

"According to the PDF-creation software maker, there is no hard evidence that such spam exposes users to any security risk."

Ok... typical e-mail attachments are very able to be embeded with malware. So that isn't every comforting. And apparently there has been 'hard evidence' that pdfs can be a security risk: <a class="jive-link-external" href="http://news.cbsi.com/2100-1002_3-6147428.html" target="_newWindow">http://news.cbsi.com/2100-1002_3-6147428.html</a>

So I guess it is time to update the mail filter profiles!
Posted by arluthier (112 comments )
Reply Link Flag
Who buy's this stuff? Come on
Their are so many idiots out their who open mail without the
least bit of thought. I call them mail junkies. They are so into
getting mail that they could care less who it's from. People really
need to be more educated rather than expecting the rest of the
internet to protect them from themselves. A lot of it is due to
parents who get younger kids email and IM accounts and fail to
monitor what they are opening and downloading.Pretty soon the
old home computer becomes a sombie computer without
anybody knowing it.
I always tell people to use a limited account with younger user's
and use maximum spam filters on their mail accounts.
Because once you get on these mailing lists. You almost have to
open a new email account to start fresh.
Posted by jesmac418 (35 comments )
Reply Link Flag
What About Adobe Javascript?
There is a setting in Adobe Reader labeled "Adobe Java Script". I have it turned off, but I am leery about how it could be used by a malicious sender.
Posted by Stating (869 comments )
Reply Link Flag
So... If I read this correctly...
The e-mail attachment: "data.pdf" is no more dangerous than... say...

...NIGERIAN-Trojan-SUPER-SPAMBOT-ROOT-KITTING-Zombifier.EXE ..?

Since...

"PDF is no more able to embed malware on an unsuspecting user's system than any other typical e-mail attachment."

Well, I feel a lot better... NOT.

Honestly, I think I would have felt safer if someone, -trustworthy-, simply said that there have been no (or almost no known) instances of the recent flood of SPAM, with ".pdf" attachments, actually containing "malicious code"... rather than including the, fundamentally-asinine, NON-STATEMENT which was actually made by "Adobe".

But, maybe thats just me.
Posted by Had_to_be_said (384 comments )
Reply Link Flag
"Adobe Acrobat JavaScript Execution Bug is a Huge Security Issue"
This fellow says, "Adobe Acrobat JavaScript Execution Bug is a Huge Security Issue". I think the right answer is to uninstall that 110 megabyte bloatware known as Acrobat Reader and replace it with Foxit or equiv. Anybody who has Adobe Javascript turned on is nuts.

<a class="jive-link-external" href="http://www.oreillynet.com/onlamp/blog/2007/01/adobe_acrobat_javascript_execu.html" target="_newWindow">http://www.oreillynet.com/onlamp/blog/2007/01/adobe_acrobat_javascript_execu.html</a>
"Nitesh Dhanjani
Adobe Acrobat JavaScript Execution Bug is a Huge Security Issue
Wednesday January 3, 2007 8:54PM
by Nitesh Dhanjani in Technical

The Adobe JavaScript execution bug recently discovered is a huge security issue for any organization that serves PDF files via its web servers.

This post mentions the bug originally found by Stefano Di Paola and Giorgio Fedon:

It seems that PDF documents can execute JavaScript code for no apparent reason by using the following template:



You must understand that the attacker doesn?t need to have write access to the specified PDF document. In other words, the Adobe Acrobat client will execute the JavaScript code."
Posted by Stating (869 comments )
Link Flag
I had a feeling...
...that there'd be some sort of way for PDFs to infect machines as soon as I started receiving PDFs in spam.

[i]Erick Lee, a security engineer at Adobe, wrote in an e-mail on Wednesday that "PDF is no more able to embed malware on an unsuspecting user's system than any other typical e-mail attachment."[/i]

I'm pretty sure he's comparing PDFs to the likes of GIFs, JPGs or MP3s which can't carry malware AFAIK; unfortunately executables can also be attached to emails, as can ZIP archives both of which are very capable of carrying malware.

Furthermore, I see PDF as an active document, along the lines of Word, Excel, PowerPoint or OpenOffice documents all of which are well known for being able to carry malware.

Personally, I gpo by the assumption that whatever the attachment is, if I didn't request it, I don't even view it! It goes directly to Trash.
Posted by GeoNorth (51 comments )
Reply Link Flag
And thus...
And thus we're to believe Adobe just because they've yet to find the flaw or what?

Just because they've yet to find it doesn't mean it's not there.

Security 101 still takes precidence in my book... "Don't click on unknown attachments!" That has always been the rule... and it still stands in my book.

For those whom may have accidentally clicked on a .pdf file, you might rank your threat worries down a rank or two, but that's all this article says.

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.