Users of versions 6.x and 7.x of the Adobe Reader browser plug-in should go ahead and upgrade to version 8 to avoid a nasty little sanitization flaw.
Adobe Reader Needs An Update
Versions of the Adobe Reader used in conjunction with Internet Explorer and Firefox as plug-ins could pass code through to enable a cross-site scripting attack. The plug-in does not sanitize code passing through it, which could allow arbitrary code to be executed.
Secunia noted in its advisory about the issue that users could upgrade to version 8 of the Adobe Reader to avoid the problem.
Limited testing by CERT indicated the upgrade would work as recommended. CERT described the issue in its note about the problem:
The Adobe Acrobat Plug-In PDF Open Parameters feature allows users to specify actions to take on a PDF document via URI parameters. However, the Adobe Acrobat Plug-In fails to properly validate these URI parameters for scripting code. This allows user-supplied scripts to execute within the context of the web site hosting the PDF file causing a cross-site scripting vulnerability.
People who are unable to upgrade to the latest version of Adobe Reader do have workaround options available as listed in CERT's advisory. The ability to display PDF documents automatically in the browser can be disabled.
The usual cautions about not clicking on unfamiliar links from untrusted sources applies as usual. Our previous article on the serious threat from malicious JavaScript explains why that is a greater concern now.
iEntry 10th Anniversary
RSS
Archive
Del.icio.us
Digg
Reddit
Furl
