Users are advised to upgrade their Adobe Reader software following the discovery of a potential serious cross-site scripting bug (http://secunia.com/advisories/23483). The vulnerability, which involves Adobe Reader 6.x and Adobe Reader 7.x, means it is possible to execute potential hostile JavaScript code simply by appending it to a PDF's URL.

The flaw, discovered by security researchers Stefano Di Paola and Giorgio Fedon and announced (http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html) at the Chaos Communication Congress conference in Berlin this week, might be most easily exploited through Adobe Reader browser plug-ins (http://www.disenchant.ch/blog/hacking-with-browser-plugins/34). Users are advised to upgrade to Adobe Reader version 8.0 to defend against attack, or to apply workarounds as suggested by the SANS Institute's Internet Storm Centre here (http://www.kb.cert.org/vuls/id/815960). ®

Related stories

Adobe Reader Trojan predates mystery update by two weeks (11 February 2008)
http://www.channelregister.co.uk/2008/02/11/adobe_reader_exploit/
Stealthy Adobe Reader update fixes mystery security bugs (7 February 2008)
http://www.channelregister.co.uk/2008/02/07/stealth_adobe_reader_update/
Malware spectre haunts Adobe Reader (21 September 2007)
http://www.channelregister.co.uk/2007/09/21/pdf_peril/
Fake flash player site used to spread malware (22 June 2007)
http://www.channelregister.co.uk/2007/06/22/shockwave_social_engineering_ruse/
Bug brace menaces Adobe Photoshop (1 May 2007)
http://www.channelregister.co.uk/2007/05/01/adobe_photoshop_bugs/
Attackers improve on JavaScript trickery (20 April 2007)
http://www.channelregister.co.uk/2007/04/20/javascript_obfuscation_attacks/
New vulnerability strikes heart of Web 2.0 (3 April 2007)
http://www.theregister.co.uk/2007/04/03/javascript-hijacking/
Adobe targets developers with Apollo (19 March 2007)
http://www.channelregister.co.uk/2007/03/19/adobe_atlas/
150 ways to let hackers in (5 February 2007)
http://www.theregister.co.uk/2007/02/05/fortify_rulepack/
Bug brokers offering higher bounties (25 January 2007)
http://www.channelregister.co.uk/2007/01/25/bug_brokers_offering_higher_bouties/
Adobe Reader update lances multiple bugs (11 January 2007)
http://www.channelregister.co.uk/2007/01/11/adobe_reader_update/
Adobe, Symantec press EC to remove Vista tanks from their lawns (22 September 2006)
http://www.channelregister.co.uk/2006/09/22/symantec_adobe_vista_objections/
Adobe adopts monthly patch cycle (15 December 2005)
http://www.channelregister.co.uk/2005/12/15/adobe_monthly_patch_plan/
Adobe warns over PDF peril (17 August 2005)
http://www.theregister.co.uk/2005/08/17/adobe_pdf_glich/
Adobe update quells Unix PDF peril (6 July 2005)
http://www.theregister.co.uk/2005/07/06/adobe_vuln/
Adobe patches Acrobat, Reader flaws (17 December 2004)
http://www.theregister.co.uk/2004/12/17/adobe_patches_bugs/
Adobe anti-counterfeiting code trips up kosher users (15 January 2004)
http://www.theregister.co.uk/2004/01/15/adobe_anticounterfeiting_code_trips_up/
Cracker spills the beans on PDF flaw (18 June 2003)
http://www.theregister.co.uk/2003/06/18/cracker_spills_the_beans/