This development is significant for a number of reasons:
• The ease in which this weakness can be exploited is breathtaking. Useof this “feature” requires no exploitation of vulnerabilities on theserver side.
• Any Web site that hosts a .pdf file can be used to conduct thisattack. All the attacker has to do is find out who is hosting a .pdffile on their Web server and then piggy back on it to mount an attack.What this means, in a nutshell, is that anybody hosting a .pdf file,including well-trusted brands and names on the Web, could have theirtrust abused and become unwilling partners in crime.
For more information about Cross Site Scripting, you can read Zulfikar’s blog entry about the topic of Phishing and XSS from July of last year.
For more information about this vulnerability, please read Adobe's advisory at http://www.adobe.com/support/security/advisories/apsa07-01.html
You can mitigate this problem by upgrading to Adobe Reader 8.
Alternatively, you can implement a workaround in your browser sothat it does not use the Acrobat Reader plugin. The followinginstructions apply to the Firefox browser:
• In the Tools menu, select Options.
• Select Downloads in the Options dialog.
• Click on the View & Edit Actions button.
• In the Download Actions dialog, choose the action for the PDF extension or the Adobe Acrobat Document file type and then click on Change Action.
• In the Change Action dialog, choose the Open them with the default application option.
• Click on OK, Close and OK to close out of the Options dialog.
Subsequent testing has shown that systems running Internet Explorer6 and Adobe Reader 7 on Windows XP SP1, and systems with InternetExplorer 6 and Adobe Reader 4 on Windows XP SP2 are also vulnerable tothe attack.