PDFs just became dangerous (at least for now)

There are reports all over the blogosphere today of a significantly large security hole in Acrobat Reader (versions 7 and below), which will allow a web site to perform a cross-site scripting attack when a user views a PDF from the site in a browser window. Symantec has a good summary of the vulnerability, which includes the versions of Acrobat and the web browser versions that are vulnerable to this method of attack.

Until Adobe releases a fix for this problem and you have downloaded and installed the patch, it would be best to avoid viewing any PDFs (including digital magazines in PDF format) from any sites in which you do not have complete trust. I should also point out that the NXTbook technology is not based on PDFs, but on Flash, so this vulnerability will not affect NXTbooks at all.

Update: Adobe released a security bulletin on Tuesday. The summary of their response is to upgrade to Acrobat Reader 8 and if you can’t upgrade to version 8, then you should upgrade to version 7.0.9. You can do your upgrading from this page: http://www.adobe.com/go/getreader. Those of you who are using Acrobat Reader 6 or below and are not able to upgrade to versions 7 or 8 are out of luck for now and will still need to be careful about where you are downloading PDFs.