However, researchers now say that cybercriminals could exploit the vulnerability to steal information directly from the user's hard drive.
According to Adobe, this vulnerability does not affect Acrobat 8 or Adobe Reader 8. The PDF giant vowed to release patches next week for previous versions.
"This is not a vulnerability in PDF. Specifically, this issue could occur when a user clicks on a malicious link to a PDF on the web."
Jeremiah Grossman, CTO of WhiteHat Security, said this week that if the flaw had been discovered earlier, it would have made his 2006 top 10 list. The vulnerability has a good chance at becoming 2007's most dangerous flaw, he said.
Asked how long it would take for an attacker to create an exploit for the flaw, Grossman replied, "Five minutes or less. It's not only really bad, it's really easy."
"XSS is normally a server-side issue. In this case, it's not; it's a website issue. So the fix has to be the on the client right now, since the servers are not able to fix this."
Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said today that his firm has determined Internet Explorer with Adobe Acrobat versions 7 and 8 are not vulnerable, as is the case with Firefox with Acrobat 8.
Dunham pointed out that while the possibility of cross-site scripting does exist, "it remains unproven, undeveloped and relatively unlikely at this time."
Click here to email Online Editor Frank Washkuch Jr.
Adobe Reader flaw more dangerous than thought
By Fiona Raisbeck on Jan 5, 2007 2:29PM