PDF Spam Storm

Beware of PDF Vulnerabilities

November 05, 2007 — CSO — There's good news, better news, and some pretty bad news about the PDF spam that flooded corporate mailboxes this summer. The good news is that the storm of spam vanished as quickly as it came. "The increase started mid-June and the latest report we saw indicated PDF spam dried up [in the last week of August]," says John Landwehr, director of security solutions and strategy at Adobe Systems. The summer PDF campaign hit hard and fast. According to IronPort, about 5 billion copies of one of the spams were sent out. By July PDF spam accounted for about 8 percent of all spam, according to Symantec.

The better news is that the PDFs were all straight spam, not attempted exploits. Unless youâ¬"re interested in dubious stock tips, the spam was harmless.

The bad news is the attack points to the potenÂtial for PDF exploits that could infect everything from a single computer to an entire network. And in fact, as this story went to press, Adobe was admitting that a critical vulnerability had been found in PDF files. The company had a workaround for the problem but was still trying to cobble together a patch. This flaw comes after versions of Acrobat Reader earlier than version 8 were discovered to have a nasty JavaÂScript cross-site scripting (XSS) vulnerability.

The problem of image spam didnâ¬"t start with PDFs and it wonâ¬"t end with them. The latest trend, which started showing up in July, is to embed the payload into an Excel XLS file. What makes these attacks particularly nasty is the social engineering component. PDF and XLS documents have more credibility with business users than a JPEG. If the average user gets an e-mail titled "complaint" containing nothing but a PDF, he or she will likely open it. Until this year, security vendors didnâ¬"t check PDFs and XLS files, because there wasnâ¬"t a problem with them and theyâ¬"re hard to check. Many antispam products didnâ¬"t check nondocument attachments at all. That has changed, and most antispam products now check PDFs as well as other forms of image spam. Getting spam in your corporate e-mail is still annoying, of course. But the danger is that the same technique could deliver Trojans, viruses, malware and other threats. That threat appears to have been realized with this latest critical vulnerability, which uses the "mailto:" e-mail function to inject malicious code into a PC. Adobe is telling customers to "use caution" when clicking on attachments.