Adobe Acrobat software lets parameters be passed to the software when a PDF file is opened. Generally speaking, this is helpful. But because this capability includes opening a PDF from a Web site using a browser, and Web pages can execute scripts, Acrobat can be used to launch malware. For example, parameters may be passed in this form:
This tells Acrobat to jump immediately to a designated spot in the document. (See partners.adobe.com/public/developer/en/acrobat/PDFOpenParameters.pdf for specifics and more parameters.)
XSS can be blocked in a managed network through filtering at a firewall or IDS/IPS. Individual users can disable PDF opening in their browsers. In Internet Explorer (since Microsoft Windows XP SP2), go to Tools | Internet Options | Programs, press the Manage Add-Ons button, select the Adobe PDF Reader from the list, click the Disable radio button, and then click OK.
In Firefox, open Tools | Options | Content, click Manage in the File Types section, and then, for each type opened by Acrobat, select Change Action and tell it to open the external application rather than the Acrobat plug-in.
According to Symantec, this problem affects Adobe Acrobat Reader versions 6 and 7. Version 8 is not vulnerable. All versions of Firefox and Internet Explorer 6 SP1 and earlier are vulnerable, but Internet Explorer 6 SP2 and Internet Explorer 7 appear not to be.