Adobe: No threat from PDF spam

No hard evidence that PDF spam exposes users to security risks, claims the company, which nonetheless recommends user caution.

PDF spam--junk e-mail with its message attached as a PDF file to get past spam filters--poses no security risk, says Adobe Systems.

Asked if PDF spam can embed malicious software, Erick Lee, a security engineer at Adobe, wrote in an e-mail on Wednesday that "PDF is no more able to embed malware on an unsuspecting user's system than any other typical e-mail attachment."

Over the last two months, security vendors have seen a spike in spam embedded within PDF documents. Last week, it was used in a large-scale "pump and dump" scam that reportedly caused a huge spike in spam levels and in the share price of the company highlighted in the PDF spam campaign.

According to the PDF-creation software maker, there is no hard evidence that such spam exposes users to any security risk.

"Although a nuisance, we have not verified an incident where PDF spam became a security issue," Lee said. "Users can be assured that PDF is still the de facto standard for more secure and dependable electronic information exchange."

Nonetheless, Lee added, the onus is on users to protect themselves. "(We) recommend that users exercise skepticism and caution when receiving unsolicited e-mail communications requesting user action, such as opening attachments or clicking Web links," he said.

In Symantec's latest report, released on Monday, the security vendor noted that PDF image spam, which started to emerge in June this year and is on the rise, accounted for between 2 percent and 8 percent of all spam in July.

Ascertaining authenticity
One way a valid PDF sender can ensure that the recipient knows the file is authentic is to use a certified-document digital signature, said Lee.

The security engineer noted that the digital signature, when combined with Adobe Acrobat and Reader, will "provide additional validation of the author and content."

Lee said that, to ensure the security of the PDF document, the company has a Dynamic Link Library file called PDF IFilter, which "enables the creation of software that analyzes PDF files."

The PDF IFilter is used by security vendors, as well as search-engine companies, to scan the contents of PDF files. "For example, when a user searches for a PDF file on Google, they can click a found link to see the PDF file's contents in a HTML page," Lee explained.

Adobe said it is working with spam-filter companies to help prevent PDF spam from "getting through to inboxes" by implementing the PDF IFilter.

Details on potential vulnerabilities and their solutions are available on Adobe's Web site, and all documented security vulnerabilities and their solutions are distributed through the Adobe security-notification service.

Lynn Tan of ZDNet Asia reported from Singapore.