Users are advised to upgrade their Adobe Reader software following the discovery of a potential serious cross-site scripting bug. The vulnerability, which involves Adobe Reader 6.x and Adobe Reader 7.x, means it is possible to execute potential hostile JavaScript code simply by appending it to a PDF's URL.

The flaw, discovered by security researchers Stefano Di Paola and Giorgio Fedon and announced at the Chaos Communication Congress conference in Berlin this week, might be most easily exploited through Adobe Reader browser plug-ins. Users are advised to upgrade to Adobe Reader version 8.0 to defend against attack, or to apply workarounds as suggested by the SANS Institute's Internet Storm Centre here. ®

Related stories

• Adobe Reader Trojan predates mystery update by two weeks (11 February 2008)
• Stealthy Adobe Reader update fixes mystery security bugs (7 February 2008)
• Malware spectre haunts Adobe Reader (21 September 2007)
• Fake flash player site used to spread malware (22 June 2007)
• Bug brace menaces Adobe Photoshop (1 May 2007)
• CanSecWest Attackers improve on JavaScript trickery (20 April 2007)
• New vulnerability strikes heart of Web 2.0 (3 April 2007)
• Adobe targets developers with Apollo (19 March 2007)
• 150 ways to let hackers in (5 February 2007)
• Bug brokers offering higher bounties (25 January 2007)
• Adobe Reader update lances multiple bugs (11 January 2007)
• Adobe, Symantec press EC to remove Vista tanks from their lawns (22 September 2006)
• Adobe adopts monthly patch cycle (15 December 2005)
• In brief Adobe warns over PDF peril (17 August 2005)
• In brief Adobe update quells Unix PDF peril (6 July 2005)
• Adobe patches Acrobat, Reader flaws (17 December 2004)
• Adobe anti-counterfeiting code trips up kosher users (15 January 2004)
• Cracker spills the beans on PDF flaw (18 June 2003)