Thursday, August 16, 2007

Small Comfort of the Day: 2007-08-16

PDF is no more able to embed malware on an unsuspecting user's system than any other typical e-mail attachment.
-- Erick Lee, a security engineer at Adobe (alt. link)

Following is a copy of an email that I sent to Lynn Tan, the author of the article containing this statement. I'll let you know if I get any response.


Dear Ms. Tan:

I read your article about PDF files and the threat, or lack thereof, that that they pose as email attachments, in today's NY Times.

You quoted Erick Lee: "PDF is no more able to embed malware on an unsuspecting user's system than any other typical e-mail attachment."

This is very small comfort, given how many email attachments can, in fact, carry malware. I'm thinking of EXE files, Microsoft DOC and VBS files, and as we both know, the list could be made much longer. Perhaps by "typical" Mr. Lee meant "compared to, say, picture files like JPEGs and GIFs." If so, I wish he would have been more specific.

So, I have three follow-up questions for you:

1. Does the vast amount of capability that can be stored in PDF files (to provide mechanisms like file locking, forms that can be filled in, and so on) mean that there is some chance that executable code could be made to ride along? I'm thinking, by analogy, of DOC files containing viruses that work through MS Word's macro mechanisms.

2. I use Wordpad to read DOC files that come as email attachments. (As you probably know, this is a common safety recommendation -- Wordpad's reduced functionality means, among other things, that it can't run macros.) I have been using FoxIt to read all PDF files (not just email attachments) for about seven months now, mostly because it loads about 100 times faster than Adobe Reader. Foxit is vastly smaller than Reader, which implies reduced functionality. Therefore, if the answer to question 1 is "yes" or even "maybe," and thinking of preferring Wordpad for attached DOC files, how much safer would one be preferring FoxIt or some other lightweight reader to Adobe Reader for opening PDF attachments?

3. Many programs besides Adobe Acrobat can be used to create a PDF file these days. Modern versions of Word come to mind. Since it's already well-known that one can embed malware in a Word DOC file, what are the chances that Word could also be made to embed malware when it saves a file in PDF format, instead?

I think my questions are not without merit, especially given Mr. Lee's vague and somewhat lawyer-ish statement. If you can't take the time to respond to my email directly, perhaps you could pursue some of what I've raised in a follow-up article.


No comments: