There are reports of a major problem concerning Adobe Acrobat files and Cross Site Scripting (XSS). A flaw was revealed in the way that the Adobe Reader browser plugin can be made to execute JavaScript code on the client side.This development is significant for a number of reasons:
This stems from the “Open Parameters” feature in Adobe Reader, which allows for parameters to be sent to the program when opening a .pdf file. Like most things in life, this was a feature designed for benevolent usage, but sadly somebody has discovered that it can also be used for malicious purposes.
This development is significant for a number of reasons: 1. The ease in which this weakness can be exploited is breathtaking. Use of this “feature” requires no exploitation of vulnerabilities on the server side.
2. Any Web site that hosts a .pdf file can be used to carry out this attack. All the attacker has to do is find out who is hosting a .pdf file on their Web server and then piggy back on it to mount an attack. What this means, in a nutshell, is that anybody hosting a .pdf file, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime.
3. Due to the power and flexibility of JavaScript, the attacker has a wide scope for inflicting damage.
