Adobe: PDF spam poses no risk
August 16, 2007
Over the last two months, security vendors have seen a spike in spam embedded within PDF documents. Last week, it was used in a large-scale "pump-and-dump" scam which reportedly caused a huge spike in spam levels as well as the share price of the company highlighted in the PDF spam campaign.
According to the PDF creation software maker, there is no hard evidence that such spam exposes users to any security risk.
"Although a nuisance, we have not verified an incident where PDF spam became a security issue," Lee said. "Users can be assured that PDF is still the de facto standard for more secure and dependable electronic information exchange."
Nonetheless, Lee added, the onus is on the users to protect themselves. "[We] recommend that users exercise skepticism and caution when receiving unsolicited e-mail communications requesting user action, such as opening attachments or clicking Web links," he said.
In Symantec's latest report released Monday, the security vendor noted that PDF image spam, which started to emerge in June this year and is on the rise, accounted for between 2 percent and 8 percent of all spam in July.
Differentiating the authentic
One way a valid PDF sender can ensure that the receiptient knows the file is authentic, is to use a certified document digital signature, said Lee.
The security engineer noted that the digital signature, when combined with an Adobe Acrobat and Reader, will "provide additional validation of the author and content".
Lee said that to ensure the security of the PDF document, the software giant has a Dynamic Link Library (DLL) file called PDF iFilter, which "enables the creation of software that analyzes PDF files".
The PDF iFilter is used by security vendors as well as search engine companies to scan the contents of PDF files. "For example, when a user searches for a PDF file on Google, they can click a found link to see the PDF file's contents in a HTML page," Lee explained.
Adobe said it is working with spam filter companies to help prevent PDF spam from "getting through to inboxes" by implementing the PDF iFilter.
Details on potential vulnerabilities and their solutions are available at Adobe's Web site, and all documented security vulnerabilities and their solutions are distributed through the Adobe security notification service.
PDF spam, where junk e-mail attach their message as a PDF file to get past spam filters, poses no security risk, says Adobe Systems.
Author: Lynn Tan, ZDNet Asia