This is a huge gaping hole that even a novice script kiddie could
exploit. Heh, I can just see all the MySpace.com sites including lots
of new PDF links. Let's hope Acrobat 8.0 doesn't have anything
worse...

From:
http://blog.wired.com/monkeybites/20...s_flaw_fo.html
"A new and rather serious flaw has been found in Adobe’s Acrobat
Reader plug-in. The vulnerability exists in nearly any browser with
the Acrobat Reader plug-in installed and allows malicious Javascript
code to be injected on the client side.
[...]
The flaw exists in Adobe Acrobat 7 and below. Adobe recommends
upgrading to the new Acrobat 8 (see Monkey Bites review), but for
those that don’t want to upgrade, the post on Symantec’s security
response blog has details on a workaround that disables the Acrobat
Reader plugin."

(Security Response Blog reference
http://www.symantec.com/enterprise/s...fs_attack.html)

From:
http://www.wisec.it/vulns.php?page=9

"Adobe Acrobat plugin for Mozilla Firefox and IE (acroreader) is able
to populate Portable Documents (PDF files) forms by supplying an
external set of datas through the FDF, XML, or XFDF fields.

Implementation of FDF, XML, XFDF
(http://partners.adobe.com/public/dev...Parameters.pdf)
functionalities in Acrobat Reader Plugin is vulnerable to different
kind of attacks. Vulnerability extent changes from browser to browser:

1. Universal CSRF / session riding;
(Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)

2. UXSS in #FDF, #XML e #XFDF;
(Mozilla Firefox + Acrobat Reader plugin)

3. Possible Remote Code Execution;
(Mozilla Firefox + Acrobat Reader plugin)

4. Denial of Service;
(Internet Explorer + Acrobat Reader plugin)"