Stefano Di Paola and Giorgio Fedon have discovered some vulnerabilities in Adobe Reader, which can be exploited by malicious people to conduct cross-site scripting attacks, as a vector for conducting cross-site request forgery attacks, or potentially compromise a user's system.

1) Input passed to a hosted PDF file is not properly handled by the browser plug-in, which can be exploited to cause memory corruption and potential execution of arbitrary code.

Example:
http://[host]/[filename].pdf#[some text]=javascript:document.write('[string including some "." characters]');

2) Input passed to a hosted PDF file is not properly sanitised by the browser plug-in before being returned to users. This can be exploited to execute arbitrary script code in a user's browser session in context of an affected site.

Example:
- http://[host]/[filename].pdf#[some text]=javascript:[code]

3) Input passed to a hosted PDF file is not properly sanitised by the browser plug-in and allows requesting arbitrary URLs, which provides a vector for performing CSRF attacks.

Example:
http://[host]/[filename].pdf#[some text]=[site]

It is also possible to cause the browser to stop responding by passing a lot of "#" characters.

The vulnerabilities are confirmed in Adobe Reader version 6.0.1 for Windows via Internet Explorer 6 and version 7.0.8 for Windows via Firefox 2.0.0.1. The following products are reportedly affected as well:
* Adobe Acrobat 3D
* Adobe Acrobat Standard, Professional, and Elements version 7.0.8 and prior
* other Adobe Reader versions prior to 7.0.8

Solution
Upgrade to version 8.0.0.
Further details available in Customer Area

Provided and/or discovered by
1-3) Stefano Di Paola

Browser DoS reported by:
* Giorgio Fedon

Changelog
Further details available in Customer Area

Original Advisory
Adobe:
http://www.adobe.com/support/security/advisories/apsa07-01.html
http://www.adobe.com/support/security/bulletins/apsb07-01.html
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3580
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3579

Wisec:
http://www.wisec.it/vulns.php?page=9

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area