Users are advised to upgrade their Adobe Reader software following the discovery of a potential serious cross-site scripting bug [1]. The vulnerability, which involves Adobe Reader 6.x and Adobe Reader 7.x, means it is possible to execute potential hostile JavaScript code simply by appending it to a PDF's URL.

The flaw, discovered by security researchers Stefano Di Paola and Giorgio Fedon and announced [2] at the Chaos Communication Congress conference in Berlin this week, might be most easily exploited through Adobe Reader browser plug-ins [3]. Users are advised to upgrade to Adobe Reader version 8.0 to defend against attack, or to apply workarounds as suggested by the SANS Institute's Internet Storm Centre here [4]. ®

Links

1. http://secunia.com/advisories/23483
2. http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html
3. http://www.disenchant.ch/blog/hacking-with-browser-plugins/34
4. http://www.kb.cert.org/vuls/id/815960

Related stories

• Adobe patches Reader flaw (4 November 2008)

  http://www.theregister.co.uk/2008/11/04/adobe_reader_flaw/

• Adobe Reader Trojan predates mystery update by two weeks (11 February 2008)

  http://www.channelregister.co.uk/2008/02/11/adobe_reader_exploit/

• Stealthy Adobe Reader update fixes mystery security bugs (7 February 2008)

  http://www.channelregister.co.uk/2008/02/07/stealth_adobe_reader_update/

• Malware spectre haunts Adobe Reader (21 September 2007)

  http://www.channelregister.co.uk/2007/09/21/pdf_peril/

• Fake flash player site used to spread malware (22 June 2007)

  http://www.channelregister.co.uk/2007/06/22/shockwave_social_engineering_ruse/

• Bug brace menaces Adobe Photoshop (1 May 2007)

  http://www.channelregister.co.uk/2007/05/01/adobe_photoshop_bugs/

• Attackers improve on JavaScript trickery (20 April 2007)

  http://www.channelregister.co.uk/2007/04/20/javascript_obfuscation_attacks/

• New vulnerability strikes heart of Web 2.0 (3 April 2007)

  http://www.theregister.co.uk/2007/04/03/javascript-hijacking/

• Adobe targets developers with Apollo (19 March 2007)

  http://www.channelregister.co.uk/2007/03/19/adobe_atlas/

• 150 ways to let hackers in (5 February 2007)

  http://www.theregister.co.uk/2007/02/05/fortify_rulepack/

• Bug brokers offering higher bounties (25 January 2007)

  http://www.channelregister.co.uk/2007/01/25/bug_brokers_offering_higher_bouties/

• Adobe Reader update lances multiple bugs (11 January 2007)

  http://www.channelregister.co.uk/2007/01/11/adobe_reader_update/

• Adobe, Symantec press EC to remove Vista tanks from their lawns (22 September 2006)

  http://www.channelregister.co.uk/2006/09/22/symantec_adobe_vista_objections/

• Adobe adopts monthly patch cycle (15 December 2005)

  http://www.channelregister.co.uk/2005/12/15/adobe_monthly_patch_plan/

• Adobe warns over PDF peril (17 August 2005)

  http://www.theregister.co.uk/2005/08/17/adobe_pdf_glich/

• Adobe update quells Unix PDF peril (6 July 2005)

  http://www.theregister.co.uk/2005/07/06/adobe_vuln/

• Adobe patches Acrobat, Reader flaws (17 December 2004)

  http://www.theregister.co.uk/2004/12/17/adobe_patches_bugs/

• Adobe anti-counterfeiting code trips up kosher users (15 January 2004)

  http://www.theregister.co.uk/2004/01/15/adobe_anticounterfeiting_code_trips_up/

• Cracker spills the beans on PDF flaw (18 June 2003)

  http://www.theregister.co.uk/2003/06/18/cracker_spills_the_beans/