- Related Stories
-
A picture worth a thousand lies
July 31, 2007 -
Microsoft photo standard comes into focus
July 31, 2007 -
Adobe to open Lightroom to developers
June 26, 2007 -
Adobe wraps up video for tomorrow's producers
June 25, 2007 -
Adobe blasts Apollo into beta through AIR
June 10, 2007 -
Photoshop plug-in hints at next Lightroom
May 31, 2007 - Related Blogs
-
An extra helping of spam, anyone?
August 14, 2007
Asked if PDF spam can embed malicious software, Erick Lee, a security engineer at Adobe, wrote in an e-mail on Wednesday that "PDF is no more able to embed malware on an unsuspecting user's system than any other typical e-mail attachment."
Over the last two months, security vendors have seen a spike in spam embedded within PDF documents. Last week, it was used in a large-scale "pump and dump" scam that reportedly caused a huge spike in spam levels and in the share price of the company highlighted in the PDF spam campaign.
According to the PDF-creation software maker, there is no hard evidence that such spam exposes users to any security risk.
"Although a nuisance, we have not verified an incident where PDF spam became a security issue," Lee said. "Users can be assured that PDF is still the de facto standard for more secure and dependable electronic information exchange."
Nonetheless, Lee added, the onus is on users to protect themselves. "(We) recommend that users exercise skepticism and caution when receiving unsolicited e-mail communications requesting user action, such as opening attachments or clicking Web links," he said.
In Symantec's latest report, released on Monday, the security vendor noted that PDF image spam, which started to emerge in June this year and is on the rise, accounted for between 2 percent and 8 percent of all spam in July.
Ascertaining authenticity
One way a valid PDF sender can ensure that the recipient knows the file is authentic is to use a certified-document digital signature, said Lee.
The security engineer noted that the digital signature, when combined with Adobe Acrobat and Reader, will "provide additional validation of the author and content."
Lee said that, to ensure the security of the PDF document, the company has a Dynamic Link Library file called PDF IFilter, which "enables the creation of software that analyzes PDF files."
The PDF IFilter is used by security vendors, as well as search-engine companies, to scan the contents of PDF files. "For example, when a user searches for a PDF file on Google, they can click a found link to see the PDF file's contents in a HTML page," Lee explained.
Adobe said it is working with spam-filter companies to help prevent PDF spam from "getting through to inboxes" by implementing the PDF IFilter.
Details on potential vulnerabilities and their solutions are available on Adobe's Web site, and all documented security vulnerabilities and their solutions are distributed through the Adobe security-notification service.
Lynn Tan of ZDNet Asia reported from Singapore.
See more CNET content tagged:
spam,
Adobe PDF,
Adobe Systems Inc.,
security risk,
digital signature
It can't be joe-slacker just getting his kicks. I would venture to guess it is an investor or the companies themselves that are sending out the crap.
Seems like stock fraud to me.
"PDF is no more able to embed malware on an unsuspecting user's system than any other typical e-mail attachment."
"According to the PDF-creation software maker, there is no hard evidence that such spam exposes users to any security risk."
Ok... typical e-mail attachments are very able to be embeded with malware. So that isn't every comforting. And apparently there has been 'hard evidence' that pdfs can be a security risk: http://news.com.com/2100-1002_3-6147428.html
So I guess it is time to update the mail filter profiles!
least bit of thought. I call them mail junkies. They are so into
getting mail that they could care less who it's from. People really
need to be more educated rather than expecting the rest of the
internet to protect them from themselves. A lot of it is due to
parents who get younger kids email and IM accounts and fail to
monitor what they are opening and downloading.Pretty soon the
old home computer becomes a sombie computer without
anybody knowing it.
I always tell people to use a limited account with younger user's
and use maximum spam filters on their mail accounts.
Because once you get on these mailing lists. You almost have to
open a new email account to start fresh.
...NIGERIAN-Trojan-SUPER-SPAMBOT-ROOT-KITTING-Zombifier.EXE ..?
Since...
"PDF is no more able to embed malware on an unsuspecting user's system than any other typical e-mail attachment."
Well, I feel a lot better... NOT.
Honestly, I think I would have felt safer if someone, -trustworthy-, simply said that there have been no (or almost no known) instances of the recent flood of SPAM, with ".pdf" attachments, actually containing "malicious code"... rather than including the, fundamentally-asinine, NON-STATEMENT which was actually made by "Adobe".
But, maybe thats just me.
http://www.oreillynet.com/onlamp/blog/2007/01/adobe_acrobat_javascript_execu.html
"Nitesh Dhanjani
Adobe Acrobat JavaScript Execution Bug is a Huge Security Issue
Wednesday January 3, 2007 8:54PM
by Nitesh Dhanjani in Technical
The Adobe JavaScript execution bug recently discovered is a huge security issue for any organization that serves PDF files via its web servers.
This post mentions the bug originally found by Stefano Di Paola and Giorgio Fedon:
It seems that PDF documents can execute JavaScript code for no apparent reason by using the following template:
You must understand that the attacker doesn?t need to have write access to the specified PDF document. In other words, the Adobe Acrobat client will execute the JavaScript code."
[i]Erick Lee, a security engineer at Adobe, wrote in an e-mail on Wednesday that "PDF is no more able to embed malware on an unsuspecting user's system than any other typical e-mail attachment."[/i]
I'm pretty sure he's comparing PDFs to the likes of GIFs, JPGs or MP3s which can't carry malware AFAIK; unfortunately executables can also be attached to emails, as can ZIP archives both of which are very capable of carrying malware.
Furthermore, I see PDF as an active document, along the lines of Word, Excel, PowerPoint or OpenOffice documents all of which are well known for being able to carry malware.
Personally, I gpo by the assumption that whatever the attachment is, if I didn't request it, I don't even view it! It goes directly to Trash.
Just because they've yet to find it doesn't mean it's not there.
Security 101 still takes precidence in my book... "Don't click on unknown attachments!" That has always been the rule... and it still stands in my book.
For those whom may have accidentally clicked on a .pdf file, you might rank your threat worries down a rank or two, but that's all this article says.
Walt