Security Developments, Software Updates and Best Practices
QUOTE: A new cross-site scripting attack was announced at the 23rd CCC by Stefano Di Paola & Giorgio Fedon. The gist of the attack is that you are able to get javascript executed by simple having it appended to the PDF's URL. This doesn't require the ability to write the PDF, just the ability to generate a URL that is based on a PDF hosted on some site. Mitigation: Turning off javascript seems effective at mitigating this. Militant use of the NoScript extension for Firefox would be my recommendation. Of course you have to turn off javascript for everything (specifically the target domains, not the website setting up the attack. in the Disenchant examples you would have to disable scripting for Google, MySpace, Microsoft, Ebay and BofA) but ...
Abode users should move to version 8 to avoid the PDF Cross Scripting vulnerability . Version 8 offers