Original URL: https://www.theregister.com/2007/01/04/adobe_scripting_flaw/

Adobe scripting flaw unearthed

Browser plug-in peril

By John Leyden

Posted in Channel, 4th January 2007 11:49 GMT

Users are advised to upgrade their Adobe Reader software following the discovery of a potential serious cross-site scripting bug. The vulnerability, which involves Adobe Reader 6.x and Adobe Reader 7.x, means it is possible to execute potential hostile JavaScript code simply by appending it to a PDF's URL.

The flaw, discovered by security researchers Stefano Di Paola and Giorgio Fedon and announced at the Chaos Communication Congress conference in Berlin this week, might be most easily exploited through Adobe Reader browser plug-ins. Users are advised to upgrade to Adobe Reader version 8.0 to defend against attack, or to apply workarounds as suggested by the SANS Institute's Internet Storm Centre here. ®