Stefano Di Paola y Giorgio Fedon have discovered various vulnerabilities in Adobe Acrobar Reader's plugin. They presented them at CCC's Congress with a presentation on Vulnerabilities in Web applications that use AJAX.
The original advisory can be found here.
Among the vulnerabilities found, one has been called "UXSS"(Universal Cross Site Scripting), and it uses a lack of control of the plugin when the "OpenParameters" function is used. This function can be used to set certain characteristics when viewing a PDF document in the URL. The problem arises because it is possible to add javascript code to the URL, and that code will be executed when visiting the url. All this opens a door for phishing attacks.
You can find more information on this vulnerability here.
Affected sistems(known at the moment):
Version 6.0.1 for Windows via Internet Explorer 6
Version 7.0.8 for Windows via Firefox 2.0.0.1.
Other versions may also be affected.
Thanks to Mario Ballano and Pedro Montoya.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
