Adobe Reader security flaw – unlimited bad publicity
The recently discovered Adobe Reader bug allows an attacker to inject JavaScript via a PDF which is hosted on a trusted domain. For example, assume that a user clicks on a link in site A (which is not very trusted) to go to a PDF on site B (which is a trusted site). Site A can inject JavaScript via the PDF link which will appear to be executed from site B! This is possible since additional commands can be sent to Reader when opening a file.
What makes this scary is that there is nothing site B can do to prevent this (of course, other than taking down all PDF documents)! But this flaw appears relatively harmless since only things that can be snooped are the cookies and session data. It won’t be able to format your machine or steal your local files.
Adobe recommends upgrading your Adobe Reader to version 8 to fix this bug. Adobe may not enjoying all the bad publicity it is getting!
Hello,
might be a bit off topic, but I also very much dislike that Adobe Reader has JavaScript capabilities. I recommend anyone to disable JavaScript in Adobe Reader.
Denice