Security Hole in PDF Reader Could Expose Local Files

Adobe's PDF viewing software could expose sensitive information to remote attackers, and the company is urging users to either upgrade their software or turn off support for JavaScript in PDF files. The affected software includes Adobe Reader 7.0 and 7.0.1, and Adobe Acrobat 7.0 and 7.0.1 on both Windows and Mac.

"If an XML script is embedded in JavaScript, it is possible to discover the existence of local files, Adobe said in an advisory. "An attacker could then use the information gathered for malicious purposes. However the impact is minimized due to the fact that the existence of local files can only be discovered if the complete filenames and paths are known in advance by the attacker."

Adobe's PDF (Portable Document Format) is widely used to share documents via email attachments or web downloads. Adobe estimates that there are more than 20 million PDF files available on the Internet, and PDFs are commonly used in legal and medical documents, as well as for business contracts.

Windows users can upgrade to Adobe Reader 7.0.2 and Adobe Acrobat 7.0.2, which are available from the Adobe website. The company is preparing an update for Mac users. Until that update is available, Mac users can disable JavaScript in Acrobat by choosing Adobe > Preferences >JavaScript and deselecting "Enable Acrobat JavaScript."