In a conference paper titled "Subverting Ajax," security researchers Stefano Di Paola and Giorgio Fedon identified multiple cross-site scripting (XSS) vulnerabilities. One flaw in particular, the open parameters vulnerability, is quite easy to execute on vulnerable versions of Adobe Reader. A malicious attack can be carried out by referencing any Web-based PDF file and supplying potentially malicious JavaScript code as an open parameter to any Web-based PDF file. For example

http://www.(domain name).com/file.pdf#whatever_name_you_want=javascript:your_code_here

The researchers contacted Adobe in October with their findings and only recently made their work public. Adobe has since released version 8 of Adobe Reader which no longer allows appended JavaScript within site URLs. However, many users continue to use older versions of the Adobe Reader plug-in and should update as soon as possible.

Additional Resources:

• Vendor Patch Information: Adobe Reader 8
• Wise Security: Adobe Acrobat Reader Plugin - Multiple Vulnerabilities
• Gnucitizen: Danger, Danger, Danger