An ill-conceived feature in the widely used Acrobat Reader renders many websites vulnerable to client Cross Site Scripting. The flaw requires user action but is easily exploited in numerous ways.

The Universal PDF XSS flaw was discovered by Stefano Di Paola and Giorgio Fedon, and uses a feature known as "Open Parameters" in Acrobat Reader to permit Cross Site Scripting with JavaScript injection. Symantec's Hon Lau has written a good blog entry on the issue. And GNUCITIZEN has published an excellent tutorial on using XSS with JavaScript to exploit a vulnerable client, helping the public become more aware of the dangers and ease with which this flaw can be exploited. Social networking websites and all others that use SessionIDs are particularly vulnerable to this attack.

The XSS flaw affects Acrobat Reader 7 and prior versions on both Internet Explorer and Firefox for Windows. Vulnerable users are advised to either disable JavaScript, upgrade to Acrobat Reader 8, or use an alternative PDF reader or plug-in for their browser of choice.

securityfocus.com